EPIC has filed a complaint with the FTC concerning the massive data breach at Maricopa County Community College District. The Electronic Privacy Information Center (EPIC) filing concerns the loss of personal information of almost 2.5 million current and former students, employees, and vendors associated with the Maricopa County Community College District (MCCCD).
EPIC holds that MCCCD is covered by the Safeguards Rule and that the FTC can enforce it in the education sector.
EPIC is a public interest research center located in Washington, D.C. EPIC focuses on emerging privacy and civil liberties issues and is a leading consumer advocate before the FTC, according to the filing.
EPIC argues in the complaint that is “has a particular interest in protecting consumer privacy, and has played a leading role in developing the authority of the FTC to address emerging privacy issues and to safeguard the privacy rights of consumers.”
According to EPIC, the District’s failure to maintain a comprehensive information security program led to a “massive breach of names, addresses, phone numbers, e-mail addresses, Social Security numbers, dates of birth, certain demographical information, and enrollment, academic, and financial aid information.”
EPIC further alleges the District violated the Federal Trade Commission’s Safeguards Rule by failing to protect students financial information. EPIC’s complaint follows a similar complaint by DataBreaches.net. EPIC said that, “many education institutions in the United States are subject to the Safeguards Rule. The District’s case is a particularly egregious example of the risk of failing to safeguard sensitive personal information.” For more information, see EPIC: Student Privacy.
EPIC’s complaint follows a similar complaint by DataBreaches.net. In a statement on September 29, EPIC said “many education institutions in the United States are subject to the Safeguards Rule.” To read the EPIC complaint, click here.
According to the FTC:
The Safeguards Rule applies to individuals or organizations that are significantly engaged in providing financial products or services to consumers, including check-cashing businesses, data processors, mortgage brokers, nonbank lenders, personal property or real estate appraisers, and retailers that issue credit cards to consumers.
According to the Safeguards Rule, financial institutions must develop a written information security plan that describes their program to protect customer information. All programs must be appropriate to the financial institution’s size and complexity, the nature and scope of its activities, and the sensitivity of the customer information at issue. Covered financial institutions must:
•designate the employee or employees to coordinate the safeguards;
•identify and assess the risks to customer information in each relevant area of the company’s operation, and evaluate the effectiveness of current safeguards for controlling these risks;
•design a safeguards program, and detail the plans to monitor it;
•select appropriate service providers and require them (by contract) to implement the safeguards; and
•evaluate the program and explain adjustments in light of changes to its business arrangements or the results of its security tests.
The FTC relied on experts who suggest that “three areas of operation present special challenges and risks to information security: employee training and management; information systems, including network and software design, and information processing, storage, transmission and retrieval; and security management, including the prevention, detection and response to attacks, intrusions or other system failures. The Rule requires financial institutions to pay special attention to these areas.”
EPIC alleges that MCCCD’s case is a “particularly egregious example of the risk of failing to safeguard sensitive personal information.”
Miguel Corzo, the whistleblower in the MCCCD case said, “If EPIC and others have their way, MCCCD will be held responsible for negligent behavior under the Safeguard rule. It is a whole new standard for compliance that will bring about a sea of change in educational institutions around the country. As a former higher-ed administrator, I find EPIC arguments very compelling. This is a case of governance missing the forest for the trees that ultimately led to the largest security breach in the history of higher-ed in this country. Financial data is financial data whether it resides in a large U.S. corporation or in one of the largest educational institutions in the country. The public deserves the same level of protection regardless of who they do business with. Our community will soon have a chance to set a new direction for MCCCD by voting politicians and new MCCCD Board Members into office that will hold those who ignored employee warnings accountable for their decisions. As Johanna Haver said ‘It is time for a new direction’. It is time for a new administration at MCCCD that does not look to raise tuition and property taxes on their community to pay for their mistakes, specially when the organization already has nearly $500 million in cash reserves. I urge the FTC to open an investigation and set a new standard for security in the education sector. Our community deserves no less.”