Jun 162014

The 2013 breach at Maricopa County Community College District (MCCCD)  in Arizona affected approximately 2.5 million faculty, staff, vendors, and students, making it the largest breach involving student information ever reported by a U.S. institution of higher education. A complaint by this privacy advocate alleges violations of the Safeguards Rule. 

Having researched and reported on breaches for about a decade now, some breaches strike me as really appalling, and the MCCCD breach is one of those. Limited available public records suggest that MCCCD knew they had a problem in January, 2011, but failed to remedy identified vulnerabilities completely – despite repeated warnings by their own personnel and state auditors. By failing to address known risks, they left the door open to the second and massive data breach in 2013 that included personal and non-public financial information. As one of the largest higher education systems in the country, MCCCD was leaving 1/4 million students’ personal and financial information at risk each year, not to mention the personal and financial information of faculty, staff, and vendors. The risk was not just confined to current students, either, as when the breach was disclosed, students who had not attended MCCCD in decades found themselves now having to worry about becoming victims of identity theft.

Because I have complained for years on PogoWasRight.org that student data privacy and security are not being adequately protected and the government has done little to enforce either, and because I think the MCCCD breach is the poster child for poor data security in higher education and poor breach response,  I have filed a formal complaint with the FTC to ask them to investigate MCCCD’s data security.

While the FTC does not have authority to enforce Section 5 of the FTC Act over non-profits (which most universities and colleges are), the FTC does have authority to enforce a law known as the Safeguards Rule.  That rule requires covered organizations to have a comprehensive information security program, and provides specific standards.  The FTC has enforced the Safeguards Rule in nine cases, but none of them have been in the education sector. Because MCCCD’s own internal documents state that they are obligated to comply with the Safeguards Rule,  I filed the complaint under the Safeguards Rule.

If the FTC investigates – and I hope they do – they will find what I think are a slew of unreasonable data security practices that violate the standards and were likely to cause customers and consumers significant harm. Penalties for non-compliance with the Rule include civil penalties of up to $10,000 per violation for officers and directors personally liable, and for the financial institution liable, penalties of up to $100,000 per violation. Criminal penalties include imprisonment for up to five years and fines. 

What You Can Do to Help Yourselves

If you were affected by the MCCCD breach, you can contact the FTC to file your own complaint about the breach. Tell them that you want them to investigate MCCCD under the Safeguards Rule or whatever other authority they may have, for unreasonable security practices and the harm they have caused or were likely to cause you. The FTC’s online complaint assistant form does not seem well-suited to this purpose, so you may want to call them. You can also tell them you support the complaint filed by “Dissent” of DataBreaches.net.

Previous Coverage of the MCCCD Breach on DataBreaches.net:


Jul 272010

See the companion press release from the FTC in a previous post.

Rite Aid Corporation and its 40 affiliated entities (RAC) have agreed to pay $1 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule, the U.S. Department of Health and Human Services (HHS) announced today. In a coordinated action, RAC also signed a consent order with the Federal Trade Commission (FTC) to settle potential violations of the FTC Act.

Rite Aid, one of the nation’s largest drug store chains, has also agreed to take corrective action to improve policies and procedures to safeguard the privacy of its customers when disposing of identifying information on pill bottle labels and other health information. The settlements apply to all of Rite Aid’s nearly 4,800 retail pharmacies and follow an extensive joint investigation by the HHS Office for Civil Rights (OCR) and the FTC.

The OCR, which enforces the HIPAA Privacy and Security Rules, opened its investigation of RAC after television media videotaped incidents in which pharmacies were shown to have disposed of prescriptions and labeled pill bottles containing individuals’ identifiable information in industrial trash containers that were accessible to the public. These incidents were reported as occurring in a variety of cities across the United States.  Rite Aid pharmacy stores in several of the cities were highlighted in media reports.

Continue reading »

 Tagged with:
Jul 272010

The following is the FTC’s press release. In the next post, I’ll publish HHS’s press release on their settlement with Rite Aid.

Rite Aid Corporation has agreed to settle Federal Trade Commission charges that it failed to protect the sensitive financial and medical information of its customers and employees, in violation of federal law. In a separate but related action, the company’s pharmacy chain also has agreed to pay $1 million to resolve Department of Health and Human Services allegations that it failed to protect customers’ sensitive health information.

“Companies that say they will protect personal information shouldn’t be tossing patient prescriptions and employment applications in an open dumpster,” said Jon Leibowitz, Chairman of the Federal Trade Commission. “We hope other organizations will learn from the FTC’s action against Rite Aid to take their obligation to protect consumers’ personal information

Rite Aid operates the third largest pharmacy chain in the United States, with about 4,900 retail pharmacies and an online pharmacy business.

The FTC began its investigation following news reports about Rite Aid pharmacies using open dumpsters to discard trash that contained consumers’ personal information such as pharmacy labels and job applications. At the same time, HHS began investigating the pharmacies’ disposal of health information protected by the Health Insurance Portability and Accountability Act (HIPAA). This is the second case in which the FTC and HHS coordinated their investigations and settlements. The agencies resolved similar allegations with CVS Caremark in February 2009.

Continue reading »

 Tagged with:
Feb 262010

Jaikumar Vijayan of Computerworld was able to see a redacted copy of a  letter (Civil Investigative Demand) sent by the FTC to some of the organizations who were found to be leaking information via P2P networks:

It showed the agency is seeking information, dating back to mid-2007, on a wide-range of technology and process-related topics.

For instance, the FTC is asking for detailed information on the types of personal information being collected by the company, the purpose for which it is being used, and how the data is collected, shared and stored.

The letter seeks “detailed descriptions” on how the company compiles, maintains and stores personal information, as well as “high-level diagrams setting out the flow paths” of personal information from source to the point of use.

The company is also required to identify by name, location and operating system every computer that is used to collect and store personal information. In addition, it is required to provide a “narrative” or a blueprint that describes network components in minute detail, down to individual firewalls and routers, and even database tables and field names containing personal data.

The FTC is also requiring any information the company has about its knowledge of the data leaks. The details sought include who knew about the breaches, when, what attempts the company made to inform affected individuals, and why P2P software was allowed to be installed on a company system.

Read more on Computerworld.

Since these are “non-public” investigations, I’m not sure how much we’ll eventually find out, but these investigations and any actions may become a ‘cautionary tale’ for entities that still allow P2P on their networks or allow employees to transfer data to be taken home and used on computers that may have P2P software on them.

 Tagged with:
Feb 252010

ControlScan, a company that consumers have relied on to certify the privacy and security of online retailers and other Web sites, has agreed to settle Federal Trade Commission charges that it misled consumers about how often it monitored the sites and the steps it took to verify their privacy and security practices. The settlements will bar future misrepresentations. The founder and former Chief Executive Officer has entered into a separate settlement that requires him to give up $102,000 in ill-gotten gains.

Third-party privacy and security certification programs like ControlScan are used by Web sites to assure visitors and customers that the site is secure and consumers can feel confident about providing personal and financial information. Certification companies provide privacy and security “seals” to convey that an independent party is auditing the practices of the site regularly to be sure its data is not vulnerable.

ControlScan offered a variety of privacy and security seals for display on Web sites. Consumers could click on the seals to discover exactly what assurances each seal conveyed. For example, the company’s Business Background Reviewed, Registered Member, and Privacy Protected seals conveyed that ControlScan had verified a Web site’s information-security practices. However, the FTC alleges that ControlScan provided these seals to a Web sites with “little or no verification” of their security protections. Similarly, the FTC alleges that the company provided its Privacy Protected and Privacy Reviewed seals to a Web sites with “little or no verification” of their privacy protections.

Continue reading »

 Tagged with: