From: InfoSec News (alertsinfosecnews.org)
Date: Wed Aug 23 2006 - 01:58:38 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://www.columbusdispatch.com/news-story.php?story=207008

By Randy Ludlow
The Columbus Dispatch
August 23, 2006

Two fired computer-systems administrators filed a lawsuit yesterday
accusing Ohio University of illegally destroying public records.

The lawsuit filed by Todd Acheson and Thomas Reid seeks damages of
$1,000 for each record destroyed by a consultant hired by OU to
investigate data thefts by computer hackers.

Moran Technology Consulting, of Naperville, Ill., conducted an audit of
the causes of the data thefts and later destroyed interview notes and
other paperwork compiled during the audit.

Moran's contract stated the Athens university maintained ownership of
the materials behind Moran's report and notified the company that OU was
subject to the public-records law.

OU officials said they did not authorize Moran to destroy the materials.

Charles Moran, president of the firm, previously said that his company
routinely destroys such materials and did not realize they were public
records.

"These were public records for which the university was responsible.
Moran was working as OU's agent," said Fred Gittes, a Columbus lawyer
representing Reid.

"There is no reasonable explanation for why these were destroyed," he
said.

OU spokesman Jack Jeffery said the university would defend itself
against the accusations. He declined further comment.

State law forbids the destruction of public records without a formal
review and allows fines and legal fees to be awarded to parties filing a
successful complaint.

The lawsuit, filed in Athens County Common Pleas Court, suggests that
Moran illegally destroyed hundreds or thousands of records, entitling
Acheson and Reid to $1,000 in damages for each record.

This year, the Ohio Supreme Court and a federal appeals court ruled that
two Akron city employees were entitled to $860,000 for the destruction
of 860 individual records.

Acheson and Reid also accuse their former employer of violating Ohio's
public-records law by failing to provide copies of other documents they
requested.

The lawsuit contends Moran's report was biased, suggesting Acheson and
Reid were targets because of their concerns about another OU computer
project on which Moran was working.

The lawsuit also claims that OU administrators did not act on
computer-security improvements suggested by Reid since 1998.

In incidents disclosed this year, hackers rummaged through five OU
computers containing 367,000 files with personal information on
students, alumni and others.

The data included detailed medical records and up to 173,000 Social
Security numbers, prompting fears of identity theft.

Reid, director of computer and network services, and Acheson, Internet
and systems manager, were fired Aug. 4 for what OU officials said was
their failure to close security breaches in campus computers.

_________________________________
HITBSecConf2006 - Malaysia
The largest network security event in Asia
32 internationally renowned speakers
7 tracks of hands-on technical training sessions.
Register now: http://conference.hitb.org/hitbsecconf2006kl/

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]