Previous |
Next |
April 03, 2009, 04:48 PM ET
Ohio University Closes Door on Breach Saga With $90,000 Settlement
Ohio University has settled a lawsuit with two former information-technology administrators, paying them a total of $90,000 because the university improperly failed to disclose some records related to an investigation of a data breach three years ago. Thus concludes a saga fraught with litigation, finger-pointing, and the perils of technology.
The university discovered in spring 2006 that holes in its network security system had left hundreds of thousands of files—including medical records and Social Security numbers for students dating back decades—exposed for more than a year. It fired the plaintiffs, Todd Acheson and Thomas Reid, after an audit from an independent company placed the blame on their shoulders.
However, a university Administrative Senate panel concluded after an investigation that the university had unfairly scapegoated the two administrators, and that William F. Sams, the vice provost for information technology, and other university officials were at fault in the breach. But when Mr. Acheson and Mr. Reid filed a grievance and sought reinstatement, they were rebuffed.
The two former employees contended that the university redacted from its final report on the matter some documents related to the independent auditor’s investigation. According to John J. Biancamano, general counsel to the university, administrators only redacted information they thought might expose the university to further data breaches. But Mr. Biancamano now admits that the university failed to disclose everything it should have.
In accordance with the settlement agreement, the university will issue a new version of its report that includes the information it should not have withheld. According to Mr. Biancamano, of the $90,000 it paid out to the plaintiffs, Mr. Acheson got $12,000 and Mr. Reid $10,000. The rest went to their attorneys. –Steve Kolowich
Categories: Security
Add Your Comment
Commenting is closed.