MCCCD Security breach escalates to Federal Trade Commission (FTC)
Privacy advocate files complaint with FTC over Maricopa County Community College District data breach
Security breaches like the one at Wyndham hotels have been under scrutiny by the FTC for the company’s failure to protect the personal and financial information they collect. The FTC is yet to enforce the Safeguard Rules in an educational institution, however, the number and size of these breaches often surpass that of other industries. Institutions like MCCCD (the largest community college district in the nation) receive million of dollars in Financial Aid and collect personal and financial information for over a quarter of a million individuals every year. This is the same kind of personal and financial information that companies in the private sector collect. Negligence and failure to protect personal information has been cited multiple times in the class action lawsuits that have been recently filed against MCCCD. In a recent article titled ‘the year of living dangerously‘, the author clearly outlines what’s at stake if breaches like these go unanswered by the FTC. Organizations like Target Corp that understand the implications of inadequate security have held those at the very top responsible for massive financial loses and the consequences that follow a security breach. It goes without saying that if the FTC deems it necessary to investigate a breach of 500K individuals, such as the incident at Wyndham, an investigation of a security breach involving 2.5 million people at Maricopa Community Colleges is almost mandatory.
Educational institutions that claim to abide by the Safeguard Rules currently go unscathed when a massive breach takes place. Breaches at educational institutions are reported almost daily, yet there is no accountability at the top, no government oversight and the public is often left to suffer and pay the consequences of negligence and irresponsible behavior. Massive lawsuits usually follow, leaving entire education systems at risk of bankruptcy or worst yet they survive but find themselves financially and operationally unable to properly secure information. Taxpayer and students usually get hit twice, once with lifetime consequences of identify theft and then again with the burden of paying for the fiasco either via tax or tuition increases. The long term economic impact that comes as a result of damage to the institution’s reputation is incalculable. Without pressure from organizations like the FTC, the cycle repeats every couple of years and identity theft slowly becomes an epidemic of national and international proportions. This is particularly disturbing when it all could have been avoided had the institution felt obligated to have a decent security program in place.
Like Paul Pair used to say ‘there has to be a better way’. Unfortunately, when a public educational institution like MCCCD stops listening to their employees, loses 50% of their IT department, fails to protect the public multiple times, does not accept responsibility, lacks transparency and stewardship and threatens its own Governing Board and uses attorney-client privileges to break the law and keep the media and public in the dark, it is time for the Federal Government to intervene to minimize the risk of another major breach.
Local government agencies in states like Arizona have little or no jurisdiction over educational institutions like MCCCD..The security breach of 2013 represents the largest security breach in the history of any educational institution in the nation. It makes no sense for the FTC to enforce the SafeGuard Rules in one industry while leaving large amounts of personal and financial information exposed in others.
In the case of Wyndham, the company failed to remedy known security vulnerabilities, failed to employ reasonable measures to detect authorized access; and failed to follow proper incident response procedures. As a result, the Wyndham security was breached more than twice in less than two years. In the case of MCCCD, an almost exact same situation took place as outlined in the timeline of events that led to the 2013 incident.
If you were affected by the MCCCD breach, you can contact the FTC to file your own complaint about the breach. Tell them that you want them to investigate MCCCD under the Safeguards Rule or whatever other authority they may have, for unreasonable security practices and the harm they have caused or were likely to cause you.