The huge Maricopa Community College Data Breach just got a bit messier… here come the lawsuits. A little background on the breach can be found here.
The notice of claim for the first client was sent December 27. The notice of claim for the second client was sent January 30. Attorney Mark Fuller of G&K informs DataBreaches.net that MCCCD has not responded to either of the notices of claim yet.
In what may be somewhat typical of what appears to be MCCCD’s poor data security and breach response, MCCCD also apparently did not take steps immediately to preserve all evidence and instruct IT staff not to destroy or alter records. This would be pretty standard legal advice in the wake of a big breach likely to result in litigation, but MCCCD’s IT department was not instructed until February 5 – months after MCCCD disclosed the breach and one month after G&K reminded them of their obligation to preserve evidence for discovery. Even when MCCCD Legal advised ITS, ITS did not instruct its staff for another two weeks. The following internal email was provided to DataBreaches.net…
Pogo has done a great job covering the story and I would suggest reading the comments on her original post about the breach. Hopefully this will serve as a warning to organizations; Data breach response is not serious business.