[ISN] In lawsuit, OU tells former staffers: 'Oops, give us back those sensitive documents'

From: InfoSec News (alerts@private)
Date: Fri Oct 12 2007 - 08:09:45 PDT


http://www.athensnews.com/issue/article.php3?story_id=29518

By Jim Phillips
Athens NEWS Senior Writer
2007-10-11

Ohio University fired information-technology officials Tom Reid and Todd 
Acheson in August 2006 for allegedly being too sloppy about protecting 
information on OU computers.

Now the university's lawyer has asked a judge handling a lawsuit filed 
by Reid and Acheson to order the men to return sensitive 
computer-related documents that OU gave them by accident.

In a motion filed Oct. 5, OU attorney Andrew J. Mollica informed Athens 
County Common Pleas Judge Michael Ward that when the university provided 
discovery materials, it "inadvertently included" some documents that OU 
believes are legally protected, at least in part, from being turned 
over.

"Ohio University believes that dissemination of the unredacted documents 
may result in further compromise of its computer system," the motion 
added.

Mollica has asked Ward to order Reid and Acheson's attorneys to give the 
documents back, and to refrain from disseminating or using them in any 
way.

Reid was head of OU's Communication Network Services and Acheson was the 
department's UNIX systems manager. Both were fired in the wake of a 
well-publicized security breach, in which OU databases were found to be 
exposed to potential hackers on multiple occasions in spring 2006.

This opened access to personal data including Social Security numbers on 
tens of thousands of students, staffers, contractors, alums and donors, 
though it's not clear if any were stolen.

Last fall, an OU grievance committee recommended Acheson and Reid be 
reinstated, but OU Provost Kathy Krendl upheld their termination.

The two have sued OU in Common Pleas Court, over the university's 
refusal to release all records they have asked for in connection with 
their case.

OU maintains it has made adequate efforts to comply with what Mollica 
has called a voluminous records request, in a suit he labels in one 
court document as "nothing more than a veiled employment action."

A central point of contention is a report compiled for OU by an outside 
company, Moran Technology Consulting, which investigated the security 
breach. Reid and Acheson maintain Moran's report, which assigned them a 
large measure of blame in allowing the breach, played a big role in 
getting them fired.

They also contend that OU broke the law when it allowed Moran to dispose 
of interview notes used in creating the report. Some of these were later 
recovered, though OU continues to maintain they are not public records.

Now it appears that OU has given at least some of the disputed material 
to Reid and Acheson by mistake.

Mollica's motion states that the inadvertently released materials were 
"unredacted copies of Moran drafts and interview notes," though not a 
full copy of the report itself. (OU has issued a version with some 
material, which the university claims could further compromise its 
computer security, blacked out.)

OU also has asked Ward to grant it partial summary judgment, and dismiss 
a request by Acheson and Reid for a court order to compel OU to produce 
more documents.

Attorney Fred Gittes, who represents the fired OU employees, said 
Tuesday that he has no intention of using or releasing the documents in 
question until the court decides whether they're public - an issue he 
said "goes to the heart of the case."

He disputed Mollica's claim that the records lawsuit is only an 
employment action in disguise - a claim that he said "shows OU's 
ignorance, or hostility, to Ohio's Sunshine laws... We are trying to get 
information about important developments that are of great public 
interest. I can't over-emphasize that."

OU officials contacted for comment did not return a call by press time 
Wednesday.

IN A DEPOSITION by Moran President Charlie Moran, meanwhile, the IT 
consultant whose company's report is at the center of the controversy 
has claimed that an attorney in OU's Legal Affairs office basically gave 
him the green light to destroy his interview notes.

Under questioning by James Colner, an attorney for Reid and Acheson, 
Moran said that when his company got the contract to investigate OU's 
security breach, he was assured by then-Chief Information Officer Bill 
Sams that while the final report would be subject to public-records 
disclosure, the company's interview notes would not.

"Bill Sams said, 'I checked with legal; you're good to go. Yes, (your 
notes) can be confidential. And the only thing that's subject to open 
records is the final report,'" Moran testified.

After the report came out, however, and Reid and Acheson began asking 
for documents, Moran testified that he asked OU associate legal director 
Barb Nalazek during a June 2006 phone call about whether he needed to 
preserve the notes.

"I... explained to her that our company policy-wise is, on broad 
projects like this, because these notes tend to get misinterpreted, or 
have bullets and then they have confidential information in them, we 
tend to destroy all interview notes when a project is done just as 
policy," he testified.

Moran went on: "I said, 'At this point, you know, we were planning just 
to destroy them as is our normal corporate policy.' (Nalazek) said, 
'Well, that's up to you do do.' I said, 'As far as I know, you know, 
that's the agreement we've had.' I said, 'Are you telling me I have to 
keep them?' And she says, 'Well, no. But I am telling you Ohio 
University is not telling you to destroy them. OK?' And I said, 'Well, 
OK. But based on our agreement when we started the project, then, you 
know, we'll probably be destroying these things, just because we don't 
keep them around.'"

Moran acknowledged that he had no documentation showing that the call he 
described took place.

Colner asked him if he left the conversation with the impression that OU 
had authorized him to destroy the notes. Moran said he wouldn't use that 
wording, but that he did leave the conversation feeling that he had been 
told "that I had an option to do whatever I wanted to do with (the 
notes)," and after the call, "we deleted them."??


__________________________________________________________________      
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques.  Register now for savings on conference fees   
and/or free exhibits admission. - www.csiannual.com



This archive was generated by hypermail 2.1.3 : Fri Oct 12 2007 - 08:42:49 PDT