[ISN] Connecticut Sues Consultant, Accenture, Over Lost Data

From: InfoSec News (alerts@private)
Date: Thu Sep 20 2007 - 22:00:56 PDT


http://www.informationweek.com/news/showArticle.jhtml?articleID=201807932

By Sharon Gaudin
InformationWeek
September 20, 2007

The State of Connecticut is suing its own computer consultant, 
Accenture, for losing personally identifying information on 58 residents 
and hundreds of state bank accounts and purchasing cards.

Connecticut attorney general Richard Blumenthal announced he is suing 
the company for illegal negligence, unauthorized use of state property, 
and breach of contract. He filed the suit on behalf of state comptroller 
Nancy Wyman, whose office contracted with Accenture.

"Accenture deserves censure -- to be held accountable for allowing 
valuable secret data to be stolen and putting at risk state taxpayers, 
bank accounts, and purchasing cards," Blumenthal said in a statement. 
"Accenture acted unconscionably and illegally. It breached its 
commitment to keep confidential this highly sensitive financial 
information. The company broke its contractual promises and duty of care 
to safeguard the secrecy of sensitive data. It misappropriated state 
property -- taking significant valuable data for its own use without 
permission or authority."

Accenture released a statement saying the company is reviewing the 
matter.

"Based on what we know today, we believe that our policies were 
inadvertently not followed," the statement read. "We intend to take 
appropriate actions with any individuals involved and to reinforce with 
all of our employees, as we do on a regular basis, the importance of 
following our privacy and data protection policies."

The company also asserted that there is no evidence that the Connecticut 
data has been accessed or misused by an unauthorized third party.

"As the Ohio inspector general determined, the technical complexity of 
retrieving the data from the backup tape storage device makes the 
possibility that it will be used for improper purposes remote," the 
company noted. "We invest heavily in training our employees so they 
understand how to appropriately handle sensitive data and we impress on 
them the importance of following our policies. Accenture regrets this 
unfortunate incident, which was clearly caused by human error, and 
remains committed to working with our client in this matter."

According to an advisory from the attorney general's office, the lawsuit 
alleges that Accenture converted state property to its own use without 
permission, acted negligently, and violated its contract by allowing the 
sensitive data to be placed on a state of Ohio backup computer tape that 
was later stolen. The theft occurred in June, but Wyman's office was not 
notified that Connecticut information was involved until September 4.

The Ohio governor's office says a backup tape was stolen in Ohio last 
June. It allegedly contained data that Accenture removed from the 
CORE-CT computer system, which performs Connecticut's payroll, 
personnel, purchasing, accounting, inventory, and other functions. 
Accenture, which developed the CORE-CT system, was developing a similar 
government information system in Ohio.

Allegedly, this past weekend a state IT analyst found the tape contained 
virtually all Connecticut state agency bank account numbers, bank names, 
and types of accounts, as well other highly sensitive information, 
according to the governor's office. "Like a citizen whose wallet has 
been stolen, our first priority had to be safeguarding the information 
that was missing -- and that's just what we have done," said Connecticut 
Governor M. Jodi Rell, in a statement yesterday. "Now we need to start 
adding up the expenses we incurred in taking those actions and provide 
those figures to the attorney general so that he can recover those costs 
from Accenture. The repercussions of this loss are still being tallied 
-- and the final figure may not become clear for some time -- but we 
already know that Connecticut has incurred considerable expenses to deal 
with the loss of this information."


__________________________________________________________________      
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques.  Register now for savings on conference fees   
and/or free exhibits admission. - www.csiannual.com



This archive was generated by hypermail 2.1.3 : Thu Sep 20 2007 - 22:25:28 PDT