Commentary: We need a congressional inquiry into the MCCCD breach

President Truman had a sign on his desk that said, “The buck stops here.” We could use more of that accountability when it comes to data breaches in the education sector.

Back in 2006, when I first began blogging about data breaches on PogoWasRight.org, I covered a series of breaches at Ohio University. One of the things that made the Ohio U. situation newsworthy was that the university publicly fired two IT Managers.  The firings made sense to some, who suggested that having heads roll might be a smart public relations move to show that the university took the breach seriously.

But shouldn’t the heads that roll be the heads that were responsible? The two Ohio University employees were subsequently found to have had no responsibility for the breaches. Stunningly, even though a grievance committee recommended reinstatement and an apology, the provost decided she  would not rescind the firing because they “”failed in their responsibility for designing and maintaining a secure network.”

Firing employees for not providing a secure environment after you’ve ignored their recommendations that might have prevented the breaches seemed somewhat unfair to me.

And that’s what seems to be happening again in the aftermath of the Maricopa County Community College District (MCCCD) breach that I’ve been covering on this blog since last year.

When MCCCD finally – seven months after they were informed of the breach  – issued a statement and started notifying those affected, their notification to state attorneys general blamed IT employees who allegedly failed to live up to MCCCD standards and obstructed the investigation into the 2011 breach, allegedly thereby leading to the 2013 breach.

In the wake of the massive data breach, a number of employees resigned or were forced out. Based on information I’ve continued to review in my investigation,  I suspect there probably were grounds to hold a few of them somewhat responsible. But what is concerning to me is that MCCCD initiated disciplinary proceedings against two employees – Miguel Corzo and Earl Monsour – who wouldn’t be forced out because they had done nothing wrong and refused to become scapegoats for MCCCD’s mismanagement of its IT department and data security.

It is Ohio University all over again.

Based on MCCCD’s organizational chart for its ITS department in 2011, neither Corzo nor Monsour had any responsibility for the web servers that were  compromised in 2011. After the breach, they were asked to help and they tried repeatedly to get MCCCD to deploy appropriate security programs and controls that would have prevented the 2013 breach. Indeed, their efforts to address MCCCD’s inadequate security programs and policies began years before the first breach.

– In 2009, Corzo authored a strategic report to the District that made numerous recommendations that would be considered industry standard. His recommendations were allegedly dismissed by Vice Chancellor Kahkedjian.

– After the January, 2011 breach, Corzo, Monsour, and others, including Martin Gang (who left MCCCD in 2011),  quickly identified the problems leading to the 2011 breach and what needed to be done to remediate it. They repeatedly tried to get MCCCD to implement the recommendations of external consultants and ITS personnel.

– When MCCCD didn’t address the security issues in a timely fashion, Corzo and Monsour filed an oversight report. MCCCD allegedly did not respond to it. Nor did MCCCD appear to implement recommendations in a state audit that had noted deficiencies and concerns – recommendations that MCCCD said they agreed with and would implement.

– Not giving up in their efforts to address MCCCD’s serious data security deficiencies, Corzo and Monsour escalated the matter by filing a  grievance report in 2012. MCCCD allegedly did not respond to the grievance report, either.  Neither has their Governing Board, to whom the grievance report was recently escalated.

Not surprisingly, then, in  2013, two years after it had suffered a similar breach that it had not fully remediated, MCCCD suffered a  massive data breach that affected 2.5 million.

And MCCCD pointed the finger at two employees who had no responsibility for the first breach and had tried repeatedly and tirelessly to get MCCCD to implement effective policies and programs? Employees who weren’t even there in 2013?

Enough, already!

Inspection of the approximately 1,000 incidents in DataLossDB.org involving higher education institutions in the U.S. reveals that the MCCCD breach in 2013 was the largest data security breach ever reported by a U.S. institution of higher education.

Has MCCCD and its governing board accepted responsibility or said, “The buck stops here?”

No, they have not. They have seemingly tried to deflect blame to two employees who tried to protect customer and consumer information. And while MCCCD has tried to claim that a consultant’s report following the 2011 breach was never given to MCCCD at the “highest levels,” their claim has been loudly refuted by at least three employees who affirm that the report was given to the Vice-Chancellor of ITS at the time.

Yes, it would probably be appropriate to have some heads roll in this case, but if heads roll, it should start at the top – with the Chancellor and Vice-Chancellor – where there seems to have been serious failures in management. They need to be held accountable for failing to respond to repeated warnings and for failure to ensure that millions of people’s personal and financial information was adequately secured.

Frustratingly, while MCCCD is already facing several potential class-action lawsuits and is spending millions on security upgrades, credit monitoring services, lawyers, and consultants, MCCCD has so far escaped any federal regulators because no federal agency investigates or enforces data security in the education sector.

That needs to change. It’s high time the federal government took breaches in the education sector as seriously as it takes breaches in the business sector, the financial, and the healthcare sector.

Universities collect and store a tremendous amount of personal, financial, and health information.  This year, parents and privacy advocates have created waves throughout the country about the importance of protecting student data in the k-12 sector. Many of the same issues apply to secondary education.

If the FTC can put businesses under a 20-year monitoring plan, and if the FTC can go after Wyndham for repeated breaches and inadequate security, it should have the authority to hold universities accountable for data security, too.

Ask not where the buck stops, MCCCD. It stops with thee.

And this blogger is going to do what she can  to ensure that Congress and federal regulators understand that they can no longer sit on the sidelines and just hope that student data are adequately secured.

Just like Congress called Target officials in to answer questions about their massive breach, there should be a Congressional hearing about MCCCD’s data breaches. And if Congress really wants to understand how 2.5 million students, vendors, and employees wound up at lifetime risk of identity theft, it should have the FBI, MCCCD’s chancellor, vice-chancellor, Corzo and Monsour testify.  And in a second panel, they should have someone who can talk about breaches in the education sector, a representative from the U.S. Education Department, and a representative from the FTC to talk about what they currently can and cannot do with respect to enforcing privacy and data security in the education sector.

Will any member of Congress do this? If you agree it should be done, feel free to forward this commentary to your Senator and Representative.