DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Privacy advocate files complaint with FTC over Maricopa County Community College District data breach

Posted on June 16, 2014 by Dissent

The 2013 breach at Maricopa County Community College District (MCCCD)  in Arizona affected approximately 2.5 million faculty, staff, vendors, and students, making it the largest breach involving student information ever reported by a U.S. institution of higher education. A complaint by this privacy advocate alleges violations of the Safeguards Rule. 

Having researched and reported on breaches for about a decade now, some breaches strike me as really appalling, and the MCCCD breach is one of those. Limited available public records suggest that MCCCD knew they had a problem in January, 2011, but failed to remedy identified vulnerabilities completely – despite repeated warnings by their own personnel and state auditors. By failing to address known risks, they left the door open to the second and massive data breach in 2013 that included personal and non-public financial information. As one of the largest higher education systems in the country, MCCCD was leaving 1/4 million students’ personal and financial information at risk each year, not to mention the personal and financial information of faculty, staff, and vendors. The risk was not just confined to current students, either, as when the breach was disclosed, students who had not attended MCCCD in decades found themselves now having to worry about becoming victims of identity theft.

Because I have complained for years on PogoWasRight.org that student data privacy and security are not being adequately protected and the government has done little to enforce either, and because I think the MCCCD breach is the poster child for poor data security in higher education and poor breach response,  I have filed a formal complaint with the FTC to ask them to investigate MCCCD’s data security.

While the FTC does not have authority to enforce Section 5 of the FTC Act over non-profits (which most universities and colleges are), the FTC does have authority to enforce a law known as the Safeguards Rule.  That rule requires covered organizations to have a comprehensive information security program, and provides specific standards.  The FTC has enforced the Safeguards Rule in nine cases, but none of them have been in the education sector. Because MCCCD’s own internal documents state that they are obligated to comply with the Safeguards Rule,  I filed the complaint under the Safeguards Rule.

If the FTC investigates – and I hope they do – they will find what I think are a slew of unreasonable data security practices that violate the standards and were likely to cause customers and consumers significant harm. Penalties for non-compliance with the Rule include civil penalties of up to $10,000 per violation for officers and directors personally liable, and for the financial institution liable, penalties of up to $100,000 per violation. Criminal penalties include imprisonment for up to five years and fines. 

What You Can Do to Help Yourselves

If you were affected by the MCCCD breach, you can contact the FTC to file your own complaint about the breach. Tell them that you want them to investigate MCCCD under the Safeguards Rule or whatever other authority they may have, for unreasonable security practices and the harm they have caused or were likely to cause you. The FTC’s online complaint assistant form does not seem well-suited to this purpose, so you may want to call them. You can also tell them you support the complaint filed by “Dissent” of DataBreaches.net.

Previous Coverage of the MCCCD Breach on DataBreaches.net:

  • Maricopa Community Colleges notifies 2.5M after data security breach (update 6)
  • Breach at Maricopa Community Colleges may cost $14 million
  • There are lessons to be learned from the Maricopa County Community Colleges breach. Learn them, dammit.
  • Arizona law firm files notice of claim over Maricopa County Community College District breach; class-action lawsuit to follow?
  • MCCCD IT Employees: ‘District knew about security concerns’
  • Costs continue to mount in MCCCD breach
  • Maricopa County Community College District sued to compel public records production (update 1)
  • Another notice of claim filed against MCCCD following massive breach
  • In split vote, MCCCD extends contract with law firm for data breach-related services (updated)
  • Another lawsuit filed against Maricopa County Community College District over massive breach
  • Class action lawsuit filed against Maricopa County Community Colleges District
  • Commentary: We need a congressional inquiry into the MCCCD breach
  • The MCCCD breach: Breach costs now approach $20 million

 

Related posts:

  • FTC Takes Action Against Drizly and its CEO James Cory Rellas for Security Failures that Exposed Data of 2.5 Million Consumers
  • Updates to the Gramm-Leach-Bliley Act Cybersecurity Requirements
Category: Commentaries and AnalysesEducation SectorHackOf Note

Post navigation

← Paytime sued over breach
UK: Payouts suggested for "irresponsibly used" patient data in care.data scheme – report →

4 thoughts on “Privacy advocate files complaint with FTC over Maricopa County Community College District data breach”

  1. Esther Lumm says:
    June 16, 2014 at 10:15 pm

    The sad thing is all of the innocent people that got or are getting fired for this breach, when the responsibility lies at the top…the chancellor. He’s the one that should have been fired for this fiasco, but instead the majority of the governing board is only looking at all the nice buildings, programs, and money he has added to the district. They have totally ignored all of the policies he and his attorney have violated in attempting to cover up their own mistakes in the IT department!

    1. Dissent says:
      June 17, 2014 at 7:56 am

      Blaming your employees or throwing them under the bus is not an element of a comprehensive information security program. There are a lot of documents that have been withheld from the public. The FTC has the ability to issue a CID (civil investigative demand). I hope they will. The education sector has to be held accountable for the security of the vast troves of personal and financial information they amass. Let it start with this case.

  2. Brandon P says:
    June 18, 2014 at 2:01 pm

    I attended Phoenix College from 90 to 94 and was one of the many affected by the MCCCD breach. The FCC does not make the online complaint form easy but I’ll consider filing it. It is my understand that in regards to higher education institutions the GLBA Safeguards Rule is primarily, but not exclusively, concerned with financial aid data. If an institution provides financial aid, and that’s practically all of higher ed, the institution should have GLBA on their radar. I never applied for financial aid during my time at Phoenix College so I’m probably not the best person to file a complaint.

    1. Dissent says:
      June 18, 2014 at 5:46 pm

      Primarily financial, but also personal info (according to my reading of the statute). I agree with you about the FTC’s form, which is why I thought it would be easier for folks to call. MCCCD put your personal info at risk and left you at risk of identity theft, right?

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Kentfield Hospital victim of cyberattack by World Leaks, patient data involved
  • India’s Max Financial says hacker accessed customer data from its insurance unit
  • Brazil’s central bank service provider hacked, $140M stolen
  • Iranian and Pro-Regime Cyberattacks Against Americans (2011-Present)
  • Nigerian National Pleads Guilty to International Fraud Scheme that Defrauded Elderly U.S. Victims
  • Nova Scotia Power Data Breach Exposed Information of 280,000 Customers
  • No need to hack when it’s leaking: Brandt Kettwick Defense edition
  • SK Telecom to be fined for late data breach report, ordered to waive cancellation fees, criminal investigation into them launched
  • Louis Vuitton Korea suffers cyberattack as customer data leaked
  • Hunters International to provide free decryptors for all victims as they shut down (2)

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • German court awards Facebook user €5,000 for data protection violations
  • Record-Breaking $1.55M CCPA Settlement Against Health Information Website Publisher
  • Ninth Circuit Reviews Website Tracking Class Actions and the Reach of California’s Privacy Law
  • US healthcare offshoring: Navigating patient data privacy laws and regulations
  • Data breach reveals Catwatchful ‘stalkerware’ is spying on thousands of phones
  • Google Trackers: What You Can Actually Escape And What You Can’t
  • Oregon Amends Its Comprehensive Privacy Statute

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.