Jun 162014
 

The 2013 breach at Maricopa County Community College District (MCCCD)  in Arizona affected approximately 2.5 million faculty, staff, vendors, and students, making it the largest breach involving student information ever reported by a U.S. institution of higher education. A complaint by this privacy advocate alleges violations of the Safeguards Rule. 

Having researched and reported on breaches for about a decade now, some breaches strike me as really appalling, and the MCCCD breach is one of those. Limited available public records suggest that MCCCD knew they had a problem in January, 2011, but failed to remedy identified vulnerabilities completely – despite repeated warnings by their own personnel and state auditors. By failing to address known risks, they left the door open to the second and massive data breach in 2013 that included personal and non-public financial information. As one of the largest higher education systems in the country, MCCCD was leaving 1/4 million students’ personal and financial information at risk each year, not to mention the personal and financial information of faculty, staff, and vendors. The risk was not just confined to current students, either, as when the breach was disclosed, students who had not attended MCCCD in decades found themselves now having to worry about becoming victims of identity theft.

Because I have complained for years on PogoWasRight.org that student data privacy and security are not being adequately protected and the government has done little to enforce either, and because I think the MCCCD breach is the poster child for poor data security in higher education and poor breach response,  I have filed a formal complaint with the FTC to ask them to investigate MCCCD’s data security.

While the FTC does not have authority to enforce Section 5 of the FTC Act over non-profits (which most universities and colleges are), the FTC does have authority to enforce a law known as the Safeguards Rule.  That rule requires covered organizations to have a comprehensive information security program, and provides specific standards.  The FTC has enforced the Safeguards Rule in nine cases, but none of them have been in the education sector. Because MCCCD’s own internal documents state that they are obligated to comply with the Safeguards Rule,  I filed the complaint under the Safeguards Rule.

If the FTC investigates – and I hope they do – they will find what I think are a slew of unreasonable data security practices that violate the standards and were likely to cause customers and consumers significant harm. Penalties for non-compliance with the Rule include civil penalties of up to $10,000 per violation for officers and directors personally liable, and for the financial institution liable, penalties of up to $100,000 per violation. Criminal penalties include imprisonment for up to five years and fines. 

What You Can Do to Help Yourselves

If you were affected by the MCCCD breach, you can contact the FTC to file your own complaint about the breach. Tell them that you want them to investigate MCCCD under the Safeguards Rule or whatever other authority they may have, for unreasonable security practices and the harm they have caused or were likely to cause you. The FTC’s online complaint assistant form does not seem well-suited to this purpose, so you may want to call them. You can also tell them you support the complaint filed by “Dissent” of DataBreaches.net.

Previous Coverage of the MCCCD Breach on DataBreaches.net: