Maricopa County Community College District sued to compel public records production (update 1)
You may not be reading much in the news recently about the breach involving Maricopa County Community College District (MCCCD), but there’s a lot going on. Unfortunately, MCCCD has reportedly not been particularly forthcoming with records that might shed light on what really happened back in 2011 when MCCCD was informed by the FBI that some personal information from one of their servers had been found for sale in the underground markets. Did MCCCD implement the necessary protections to prevent another breach of the same type, or did they fail to implement adequate security protections, enabling their massive 2013 breach? [Previous coverage of the MCCCD breach on this blog can be found here, here, here, and here].
Although MCCCD appears to be blaming an employee or two for the 2013 breach that affected 2.48 million students, former and current employees tell a significantly different story. There is now a website about the breach where they share some of their concerns.
In addition to the above, DataBreaches.net has heard from another former employee in MCCCD’s IT department who tells a frightening story of lax security with respect to credit card information and Social Security numbers. When asked about the 2011 breach, the employee stated:
MCCD did not have an incident response plan at that time and I believe that the information never left a select group of IT Administrators.
While that seems to provide partial support for any claims that high-level administrators may not have been fully informed about the 2011 breach, it also suggests that their own failure to have an incident response plan contributed to the situation. The same employee also stated she made numerous attempts to get administration to address security concerns – all to no avail.
In December and January, the law firm of Gallagher & Kennedy filed notices of claim on behalf of two clients whose data were involved in the breach.
This week, they filed suit to compel MCCCD to produce its public records relating to the two data breaches. According to their press release of today, MCCCD did not provide a single document. In their complaint, they allege that MCCCD did not respond to requests for records concerning the 2011 incident, and that MCCCD’s law firm cited “pending employment actions” (and employees’ privacy and due process rights), and not wanting to give hackers a “roadmap” as their justification for not providing responsive documents in a timely fashion. MCCCD’s external counsel’s responses to G&K’s public records request are Exhibits I and K in the request for an Order to Show Cause.
DataBreaches.net notes that not only has MCCCD seemingly not produced even a single document in response to the G&K’s public records request, but they have reportedly actively attempted to recall records they had previously released to others.
The 2.4 million students affected by a breach that may well have resulted from MCCCD’s failure to respond appropriately to the 2011 incident deserve real answers and accountability.
The taxpayers whose hard-earned dollars support MCCCD deserve real answers and accountability.
Those of us concerned about data security and privacy protections need transparency so that we can all learn what went wrong, in the hopes others will not repeat any errors made by MCCCD.
I do not doubt MCCCD’s lawyers’ claims that MCCCD has 743 terabytes of information, but if ever a breach involving a public entity demanded transparency and accountability, this is it. DataBreaches.net urges the court to order MCCCD to start producing responsive documents promptly.
Update: The Arizona Republic subsequently reported on the issue of MCCCD’s failure to produce responsive documents, as they are also seeking public records in the case. DataBreaches.net is not as concerned about obtaining MCCCD’s contract with external counsel, although that’s certainly an issue of public concern and right to know, but this blogger would definitely like to see the 2011 report and recommendations following the first breach, and correspondence concerning whether the recommendations were implemented and might have prevented the massive 2013 breach.