Jamie Ross of Courthouse News reports that another lawsuit has been filed against Maricopa County Community College District (MCCCD) following a data breach it disclosed in November 2013 (search MCCCD for all previous coverage on this blog).
This latest lawsuit was reportedly filed by Jason Liebich, a current student at Phoenix College. It was filed in in Maricopa County Court by his lawyer, Robert Carey of Hagens Berman Sobol Shapiro in Phoenix.
According to the lawsuit, MCCCD is now “falsely advising class members that no data breach had occurred, including current students who were never informed (in writing or otherwise) that a data incursion had occurred.”
Liebich reportedly seeks class certification, compensatory damages, credit monitoring, credit restoration, and punitive damages for breach of contract and negligence.
So far, all of the lawsuits have been filed within the state. Given that some of those whose information was involved resided out-of-state at the time MCCCD acquired their personal information and/or now reside out-of-state, I’m waiting to see lawsuits filed in other jurisdictions with a possible move to consolidate in a federal court. But time will tell.
I continue to believe that this breach is not only an epic #FAIL on infosecurity, but also highlights why we need more data security enforcement and accountability in the education sector. When colleges amass tremendous amounts of personal information but fail to adequately secure it, who steps in and investigates? Not the U.S. Department of Education. Not the FTC, who has no authority over the education sector and non-profits, and likely not state attorneys general – particularly if the educational institution is a state agency. It shouldn’t require lawsuits by breach victims to hold educational entities accountable for data security.
For another example of a security fail involving an educational institution, see my post about the University of Virginia hack, here.