The Maricopa County Community College District (MCCCD) data breach has, in some respects, been one of the more controversial data breaches of 2013. The district didn’t notify people affected by the breach until seven months after they found out about the intrusion. Furthermore, they only found out about it when the FBI had contacted them.
But there is one notable thing about their actions: they’ve given the public a full accounting of how the data breach costs break down, a piece of transparency I haven’t previously seen, ever.
Whole Shebang May Cost $17.1 Million
In early March, MCCCD provided “an updated account of the costs” to azcentral.com, revealing that the information security fiasco is expected to cost $17.1 million. The breakdown, per azcentral.com:
- $2.25 million to Oracle to repair the computer system.
- $2 million to Bishop Fox, a security-consulting firm that has an office in Phoenix.
- $2.6 million to Eagle Creek, a Minnesota-based application-development company that worked with Bishop Fox to analyze and identify security problems in the system.
- $2.7 million to Wilson Elser, a Chicago-based law firm.
- $7 million to Kroll Advisory Services, a firm hired by Wilson Elser to send letters to the millions of people affected and offer credit monitoring and remediation.
- $600,000 for additional, smaller contracts.
This is $10.1 million more than the previously reported figure. Plus, there are reports that identity theft can be traced back to the exposed data, meaning there will be legal grounds for a lawsuit. Of course, not all two million people who were affected by the breach can make the claim. But, when you consider that the courts have been summarily dismissing data breach lawsuits for the lack of “cognizant harm,” this does not bode well for MCCCP.
Plus, remember how I mentioned the FBI had contacted MCCCP about the data breach? The FBI had been monitoring underground personal information bazaars when they ran across the MCCCP data. I don’t know how this will play out, but anyone whose information was found by the FBI could make the claim that they face a real risk of having their IDs stolen…or that they were irrefutably stolen.
Overall, it looks like not even MCCCP knows what the total cost of the breach will be (understandably), and the $17.1 million figure might be the current high mark until the next big revelation.
Credit Monitoring – Only 3% Signed Up
Another reason why the total cost cannot be determined is that MCCCD has no idea how many people will sign up for the free credit monitoring services they are providing:
Part of the contract with Kroll Advisory Services was based on the estimated number of people who would sign up for credit monitoring. As of Feb. 21, about 80,500 people had done so — only about 3 percent of the people who received letters.
The window for free credit monitoring ends Dec. 31, and the district will then know how many people signed up. [azcentral.com]
Why the low sign up rate? Perhaps it’s because people know that credit monitoring doesn’t really do any good. Or, perhaps people are procrastinating. They do have another nine months to sign up, after all. Or perhaps they’re already signed up with another credit monitoring service from a previous data breach, and thus don’t feel the need to sign up for another one.
Regardless, three percent sounds awfully low, especially considering how the data breach first saw the light of day. I think that we can expect sign up rates to increase as the year progresses.
Containing a Breach – A Losing Game
It’s been pointed out that MCCCD will have to raise tuition rates after having to go through the above ordeal, not only to deal with it but also for improvements and updates that will prevent the recurrence of similar data breaches. In cases like these, an ounce of prevention really is worth a pound of cure. Instead of spending $17 million to deal with the aftermath of a data breach, imagine how much it could have done for preventing such a data breach from happening in the first place.
Indeed, when you consider some of the expenditures – approximately $10 million for credit monitoring, lawyers, and other smaller costs – it appears that preventive measures could have cost MCCCD $7 million; possibly less, seeing how there’s more room for negotiation and other maneuvers when you’re not scrambling to contain a problem.
Related Articles and Sites: