http://www.athensnews.com/issue/article.php3?story_id=29518 By Jim Phillips Athens NEWS Senior Writer 2007-10-11 Ohio University fired information-technology officials Tom Reid and Todd Acheson in August 2006 for allegedly being too sloppy about protecting information on OU computers. Now the university's lawyer has asked a judge handling a lawsuit filed by Reid and Acheson to order the men to return sensitive computer-related documents that OU gave them by accident. In a motion filed Oct. 5, OU attorney Andrew J. Mollica informed Athens County Common Pleas Judge Michael Ward that when the university provided discovery materials, it "inadvertently included" some documents that OU believes are legally protected, at least in part, from being turned over. "Ohio University believes that dissemination of the unredacted documents may result in further compromise of its computer system," the motion added. Mollica has asked Ward to order Reid and Acheson's attorneys to give the documents back, and to refrain from disseminating or using them in any way. Reid was head of OU's Communication Network Services and Acheson was the department's UNIX systems manager. Both were fired in the wake of a well-publicized security breach, in which OU databases were found to be exposed to potential hackers on multiple occasions in spring 2006. This opened access to personal data including Social Security numbers on tens of thousands of students, staffers, contractors, alums and donors, though it's not clear if any were stolen. Last fall, an OU grievance committee recommended Acheson and Reid be reinstated, but OU Provost Kathy Krendl upheld their termination. The two have sued OU in Common Pleas Court, over the university's refusal to release all records they have asked for in connection with their case. OU maintains it has made adequate efforts to comply with what Mollica has called a voluminous records request, in a suit he labels in one court document as "nothing more than a veiled employment action." A central point of contention is a report compiled for OU by an outside company, Moran Technology Consulting, which investigated the security breach. Reid and Acheson maintain Moran's report, which assigned them a large measure of blame in allowing the breach, played a big role in getting them fired. They also contend that OU broke the law when it allowed Moran to dispose of interview notes used in creating the report. Some of these were later recovered, though OU continues to maintain they are not public records. Now it appears that OU has given at least some of the disputed material to Reid and Acheson by mistake. Mollica's motion states that the inadvertently released materials were "unredacted copies of Moran drafts and interview notes," though not a full copy of the report itself. (OU has issued a version with some material, which the university claims could further compromise its computer security, blacked out.) OU also has asked Ward to grant it partial summary judgment, and dismiss a request by Acheson and Reid for a court order to compel OU to produce more documents. Attorney Fred Gittes, who represents the fired OU employees, said Tuesday that he has no intention of using or releasing the documents in question until the court decides whether they're public - an issue he said "goes to the heart of the case." He disputed Mollica's claim that the records lawsuit is only an employment action in disguise - a claim that he said "shows OU's ignorance, or hostility, to Ohio's Sunshine laws... We are trying to get information about important developments that are of great public interest. I can't over-emphasize that." OU officials contacted for comment did not return a call by press time Wednesday. IN A DEPOSITION by Moran President Charlie Moran, meanwhile, the IT consultant whose company's report is at the center of the controversy has claimed that an attorney in OU's Legal Affairs office basically gave him the green light to destroy his interview notes. Under questioning by James Colner, an attorney for Reid and Acheson, Moran said that when his company got the contract to investigate OU's security breach, he was assured by then-Chief Information Officer Bill Sams that while the final report would be subject to public-records disclosure, the company's interview notes would not. "Bill Sams said, 'I checked with legal; you're good to go. Yes, (your notes) can be confidential. And the only thing that's subject to open records is the final report,'" Moran testified. After the report came out, however, and Reid and Acheson began asking for documents, Moran testified that he asked OU associate legal director Barb Nalazek during a June 2006 phone call about whether he needed to preserve the notes. "I... explained to her that our company policy-wise is, on broad projects like this, because these notes tend to get misinterpreted, or have bullets and then they have confidential information in them, we tend to destroy all interview notes when a project is done just as policy," he testified. Moran went on: "I said, 'At this point, you know, we were planning just to destroy them as is our normal corporate policy.' (Nalazek) said, 'Well, that's up to you do do.' I said, 'As far as I know, you know, that's the agreement we've had.' I said, 'Are you telling me I have to keep them?' And she says, 'Well, no. But I am telling you Ohio University is not telling you to destroy them. OK?' And I said, 'Well, OK. But based on our agreement when we started the project, then, you know, we'll probably be destroying these things, just because we don't keep them around.'" Moran acknowledged that he had no documentation showing that the call he described took place. Colner asked him if he left the conversation with the impression that OU had authorized him to destroy the notes. Moran said he wouldn't use that wording, but that he did leave the conversation feeling that he had been told "that I had an option to do whatever I wanted to do with (the notes)," and after the call, "we deleted them."?? __________________________________________________________________ CSI 2007 is the only conference that delivers a business-focused overview of enterprise security. It will convene 1,500+ delegates, 80 exhibitors and features 100+ sessions/seminars providing a roadmap for integrating policies and procedures with new tools and techniques. Register now for savings on conference fees and/or free exhibits admission. - www.csiannual.com
This archive was generated by hypermail 2.1.3 : Fri Oct 12 2007 - 08:42:49 PDT