DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Maricopa County Community College District sued to compel public records production (update 1)

Posted on March 20, 2014 by Dissent

You may not be reading much in the news recently about the breach involving Maricopa County Community College District (MCCCD), but there’s a lot going on.  Unfortunately, MCCCD has reportedly not been particularly forthcoming with records that might shed light on what really happened back in 2011 when MCCCD was informed by the FBI that some personal information from one of their servers had been found for sale in the underground markets. Did MCCCD implement the necessary protections to prevent another breach of the same type, or did they fail to implement adequate security protections, enabling their massive 2013 breach? [Previous coverage of the MCCCD breach on this blog can be found here, here, here, and here].

Although MCCCD appears to be blaming an  employee or two for the 2013 breach that affected 2.48 million students, former and current employees tell a significantly different story.  There is now a website about the breach where they share some of their concerns.

In addition to the above, DataBreaches.net has heard from another former employee in MCCCD’s IT department who tells a frightening story of lax security with respect to credit card information and Social Security numbers. When asked about the 2011 breach, the employee stated:

MCCD did not have an incident response plan at that time and I believe that the information never left a select group of IT Administrators.

While that seems to provide partial support for any claims that high-level administrators may not have been fully informed about the 2011 breach, it also suggests that their own failure to have an incident response plan contributed to the situation. The same employee also stated she made numerous attempts to get administration to address security concerns – all to no avail.

In December and January, the law firm of Gallagher & Kennedy filed notices of claim on behalf of two clients whose data were involved in the breach.

This week, they filed suit to compel MCCCD to produce its public records relating to the two data breaches. According to their press release of today, MCCCD did not provide a single document.  In their complaint, they allege that MCCCD did not respond to requests for records concerning the 2011 incident, and that MCCCD’s law firm cited “pending employment actions” (and employees’ privacy and due process rights), and not wanting to give hackers a “roadmap” as their justification for not providing responsive documents in a timely fashion.  MCCCD’s external counsel’s responses to G&K’s public records request are Exhibits I and K in the request for an Order to Show Cause.

DataBreaches.net notes that not only has MCCCD seemingly not produced even a single document in response to the G&K’s public records request, but they have reportedly actively attempted to recall records they had previously released to others.

The 2.4 million students affected by a breach that may well have resulted from MCCCD’s failure to respond appropriately to the 2011 incident deserve real answers and accountability.

The taxpayers whose hard-earned dollars support MCCCD deserve real answers and accountability.

Those of us concerned about data security and privacy protections need transparency so that we can all learn what went wrong, in the hopes others will not repeat any errors made by MCCCD.

I do not doubt MCCCD’s lawyers’ claims that MCCCD has 743 terabytes of information, but if ever a breach involving a public entity demanded transparency and accountability, this is it.  DataBreaches.net urges the court to order MCCCD to start producing responsive documents promptly.

Update: The Arizona Republic subsequently reported on the issue of MCCCD’s failure to produce responsive documents, as they are also seeking public records in the case.  DataBreaches.net is not as concerned about obtaining MCCCD’s contract with external counsel, although that’s certainly an issue of public concern and right to know, but this blogger would definitely like to see the 2011 report and recommendations following the first breach, and correspondence concerning whether the recommendations were implemented and might have prevented the massive 2013 breach.

Related posts:

  • Did MCCCD leadership shut their eyes to a database security assessment for plausible deniability in litigation?
  • Privacy advocate files complaint with FTC over Maricopa County Community College District data breach
  • Commentary: We need a congressional inquiry into the MCCCD breach
  • In split vote, MCCCD extends contract with law firm for data breach-related services (updated)
Category: Commentaries and AnalysesEducation SectorHackOf NoteU.S.

Post navigation

← CVS Sued Over Controversial Wellness Program
Does Walgreens’ New Up-Close-And-Personal Pharmacy Approach Violate Privacy Laws? →

1 thought on “Maricopa County Community College District sued to compel public records production (update 1)”

  1. John says:
    March 21, 2014 at 2:43 am

    While it may be true that MCCCD has 743 TB of information (most of it coming from useless copies after copies of their large ERP systems), MCCCD can easily retrieve most of the records being requested via simple queries against their Google E-mail system used for employee emails. Most of the other information being requested is easily retrievable and has previously been produced in past record requests. Failure to produce a single document months after requests were made should give an indication to the State Attorney General Tom Horne, the State Ombudsman Dennis Wells and even the North Central Accreditation that it is time to get involved. When educational institutions don’t want to turn over documents like the law requires, it’s safe to make the assumption that they have something to hide.

    A petition in now online demanding that the MCCCD Governing Board take action in the matter of the 2013 data breach. So far, the MCCCD Board has taken no action regarding issues of lack transparency and lack of accountability at the top. It has been over 10 months since this breach took place and lawsuits are starting to pile up. Taxpayers deserve better than this in a publicly funded institution. Home-owners and students should not have to pay for this mess with tuition increases and additional tax levy.

    http://www.change.org/petitions/public-audience-demand-transparency-from-mcccd-sign-the-petition-2

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Texas Centers for Infectious Disease Associates Notifies Individuals of Data Breach in 2024
  • Battlefords Union Hospitals notifies patients of employee snooping in their records
  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach
  • Nestle USA Settles Suit Over Job-Application Medical Questions

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.