http://www.dispatch.com/news-story.php?story=dispatch/2006/07/15/20060715-E1-00.html By Randy Ludlow THE COLUMBUS DISPATCH July 15, 2006 ATHENS, Ohio - A consulting firm hired to investigate data theft at Ohio University violated state public records law when it destroyed interview notes and other documents it used to prepare the audit, a newspaper has reported. Moran Technology Consulting of Naperville, Ill., acknowledged the error after The Columbus Dispatch filed a public records request in an effort to get copies of the materials. The firm's report recommended the removal of two employees. Officials at the company routinely discard such materials and didn't realize their contract with the university held them subject to Ohio's public records law, said firm president Charles Moran. "I apologize; we just didn't know," he said. The university did not authorize the company to dispose of the records, said John Burns, the school's director of legal affairs. The $85,440 contract Moran Consulting has with the university specifies that the school maintains ownership of the report's supporting materials and that the university is subject to public records law, the Dispatch reported. Moran characterized the missing paperwork as "virtually worthless." "These are not a transcript of everything said. We may do an hour of interview and get one page of bullet points out of it," Moran said. Under Ohio law, courts can award a $1,000 civil fine plus legal fees to a person filing a successful complaint regarding the destruction of records. In April, Ohio University announced it had discovered a computer breach at its training center for fledgling businesses. Since then, the school has identified a total of five instances of data theft at various offices that exposed 367,000 files containing personal information such as Social Security numbers, names, medical records and home addresses. Moran Consulting prepared a 55-page analysis criticizing the Computer and Network Services division's for making security a low priority for more than 10 years, though it had an annual budget averaging $11 million and recent annual surpluses averaging $1.4 million. After the audit was released, university trustees approved the spending of up to $4 million to bolster computer security. The school also suspended the director of the computer services department, Tom Reid, and the school's Internet and systems manager, Todd Acheson. Lawyers for both men requested copies of records used in the audit and copies of an uncensored version of the audit, which they have not received because Reid and Acheson refused to sign confidentiality agreements. Acheson's attorney, Fred Gittes, said that, without the materials used to compile the report, his client cannot defend himself against the audit's broad statements. "What a horrible position this puts Tom Reid and Todd Acheson in. There are these very vague, generalized statements with no specifics, and now we can't get the specifics," he said. A message seeking comment was left Saturday afternoon at the office of Reid's lawyer, James Colner. Information from: The Columbus Dispatch, http://www.dispatch.com _________________________________ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
This archive was generated by hypermail 2.1.3 : Sun Jul 16 2006 - 23:33:29 PDT