I usually don’t find news about law firms’ contracts with respect to data breach-related services particularly noteworthy, but in the context of Maricopa County Community College District (MCCCD)’s data breach response, there’s been a newsworthy aspect.
Last year, MCCCD hired the law firm of Wilson Elser to handle their breach response.
As I noted on March 20, a law firm has sued MCCCD to compel production of public records related to the case after Wilson Elser failed to provide any requested documents, using personnel matters and concern for not providing a “road map” for hackers as their main explanations for not providing records. Had Wilson Elser advised MCCCD that they could and should withhold the requested records, or had their client instructed them to withhold the records against Wilson Elser’s advice? We’ll likely never know, but the failure to respond to public records requests has now generated additional litigation that may mushroom if media outlets also sue MCCCD for public records.
Additionally, employees involved in a personnel dispute over their roles in the breach informed DataBreaches.net that not only had MCCCD failed to provide them with the public records they need to defend themselves from disciplinary action, but MCCCD had gone so far as to demand they return records that had previously been provided to the employees under public records law. Did Wilson Elser advise MCCCD to do this or is this MCCCD’s decision despite advice from counsel? Again, we’ll likely never know, although statements made by one governing board member hint that Wilson Elser may have advised its client on the personnel/human resources aspect of the breach handling and MCCCD didn’t like their advice.
[Some of the involved MCCCD employees have created a timeline of the breach that covers the first breach in 2011 and what they allege are their repeated attempts to get MCCCD to respond to the unaddressed and unremediated security concerns. If documents support the timeline and allegations of Miguel Corzo and Earl Monsour, it’s a very damning situation for MCCCD, who has tried to hang responsibility for the 2013 breach affecting 2.4 million on the employees. The law firm of Gallagher & Kennedy, who represents some of the breach victims in a potential class action lawsuit have now sought the court’s permission for an expedited deposition of Earl Monsour, who reportedly is gravely ill.]
In any event, when the MCCCD governing board met this week, one of the items are on their agenda was the extension of Wilson Elser’s contract, although most of the discussion occurred in executive (non-public) session. The Arizona Republic reports that the MCCCD governing board voted 3-2 to extend Chicago-based Wilson Elser’s contract, but with an amendment that a Phoenix law firm must be brought in to assist with public records matters and litigation. The two board members who voted against the contract extension reportedly did so because they felt the lawyers had been “condescending” and “overstepping their bounds.”
So how did Wilson Elser offend its client – or at least two members of the governing board? The Arizona Republic reports:
Board members Debra Pearson and Randolph Lumm voted against extending Wilson Elser’s contract on Tuesday night after questioning the way the firm has dealt with the district.
“I have confidence that we can find a Phoenix firm that will not be condescending and talking down to us and doing things that are inappropriate and out of order,” Pearson said.
She proposed terminating the Wilson Elser contract and hiring a local firm exclusively to handle the security matters. That motion failed.
The district’s staff attorney, Lee Combs, said that Wilson Elser has projects under way and that dropping the firm would be “extremely inadvisable and wasteful.”
Lumm said he felt as though Wilson Elser’s lawyers were telling the district what to do.
“My concern is that I don’t want a law firm telling us how to run IT, telling us how to run HR,” he said. “I think they’ve overstepped their bounds. I think it’s inappropriate for out-of-state lawyers to come in here and say, ‘You need to structure your IT this way.’
“We asked them for security advice only, and when they start reshaping our IT, that’s out of order.”
If MCCCD’s handling of IT and/or human resources was so problematic as to put them at risk of more litigation (the EEOC has reportedly contacted MCCCD after employees filed a discrimination and retaliation complaint), I would hope that their law firm would advise them on the human resources aspect of their breach response. Perhaps the problem is not with the law firm in this case, but with the client?
MCCCD is a publicly funded institution that has seemingly seriously dropped the ball on data security. It has not been forthcoming with all stakeholders about what happened in 2011 and after that. Instead of criticizing their law firm, governing board members should be taking a long hard look at management at MCCCD to see whether the employees’ allegations of non-responsiveness to the 2011 breach caused the current problems. And they should immediately correct course and start releasing public records.
I think it’s reasonable to predict that the litigation against MCCCD will likely continue to mount and other plaintiffs – breach victims, employees involved in the breach, and media outlets – will likely join the fray. Stay tuned, as DataBreaches.net will continue to follow this case.
Update: ABC obtained the grievance report filed in 2012 by some of the ITS employees that pointed out the high risks and noted that recommendations made in 2011 had not been implemented. One of the employees involved informs DataBreaches.net that they never received a formal response to the grievance filed almost one and half years ago. Documents such as the grievance report really challenge MCCCD’s attempts to blame employees for not making them aware of the situation or risks, and the employees who are sharing their story with the media in response to MCCCD’s attempts to blame them or to cover up failures at the administrative level deserve whistleblower protection.