Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: InfoSec News (alertsinfosecnews.org)
Date: Mon Oct 08 2007 - 03:05:26 CDT
By Moriah Balingit
SPLC staff writer
Copyright 2007 Student Press Law Center
October 5, 2007
OREGON -- When Western Oregon University student journalist Blair Loving
opened up a mysteriously placed file on the university's public server
last June, he thought he would find information about the College of
Education. Instead, he uncovered a file containing the names, Social
Security numbers, grade point averages and other sensitive information
of former students.
Loving's decision to download the file so that the campus newspaper, the
Western Oregon Journal, could report on the security breach nearly ended
his tenure as a student and led to the dismissal of the paper's adviser,
Susan Wickstrom, for allegedly mishandling a copy of the file and for
failing to advise the students about the university's computer policies.
Loving learned at a disciplinary hearing Sept. 28 that he would not be
expelled, but the infraction will remain on his record. Wickstrom was
informed in August that her contract would not be renewed.
"I worked there for seven years ...and I really feel like I had an
excellent relationship with the students," Wickstrom said. "So I was
really shocked and stunned to not have my contract renewed."
Additionally, during the course of the university's investigation into
the breach, computer technicians conducted a nighttime search of
newsroom computers without informing newsroom staff, a move that has
angered Wickstrom and other press advocates.
Stumbling on a story
Loving said he discovered the file while in the library on June 6, the
Wednesday before finals week. He took it to Editor in Chief Gerry
Blakney, who copied the information onto a disc and gave it to
Wickstrom. Blakney and Loving then reported the breach to the
university, which launched an investigation.
Vice President for Student Affairs Gary Dukes said the students whose
information was in the file were informed immediately. He added that the
file got out onto the server as the result of a "mechanics issue."
Though the paper's final publication date had already passed, editors at
the Journal decided that the story was too important to hold until the
following school year. So the week after Loving discovered the file, the
paper published a four-page special edition with an article that
detailed Loving's discovery of the security breach. The article did not
include any student's private information. The paper also reported that
the university was pursuing disciplinary action against Loving for
violating the university's computer policy.
During the course of the university's investigation, the director of
University Computing informed Wickstrom that computer technicians had
been let into the newsroom after hours to search newsroom computers.
She was outraged. Neither she nor anyone on staff had been consulted or
informed that the search was going to occur, she said.
"Nobody knew about it," she said. "I feel like the newsroom should have
been protected by federal and state law."
Duane Bosworth, a Portland, Ore.-based attorney who specializes in media
law, said Oregon has the broadest shield law in the nation, which
heavily restricts when law enforcement can perform searches of
newsrooms. The federal Privacy Protection Act provides similar
"It's protective of all unpublished information period ... and it goes
without saying that it includes information on computers," he said.
"People think they can just barge into any sort of student setting."
Professor Kyu Ho Youm, a communication law professor at the University
of Oregon School of Journalism and Communication, said the physical
intrusion of university administrators could create a "chilling effect."
"The university administrators should give the students the benefit of
the doubt instead of sending someone to search the newsroom without any
sort of warning," he said.
Two months after the university's investigation into the breach,
university officials informed Wickstrom that her contract would not be
renewed. In a letter addressed to Wickstrom, Dukes cited her failure to
remind students of computer policies and mishandling of the disc that
contained the information as reasons for her dismissal. The letter said
that she left the disc in her unlocked office and later allowed it to be
taken off campus.
Loving was found in violation of the university's policy regarding
computer use, which prohibits "accessing clearly confidential files that
may be inadvertently publicly readable." After a disciplinary hearing on
Sept. 28, Loving told The Oregonian that he would not be expelled, but
he has to publish an article in the Journal about the importance of
computer policies and create a proposal to help students understand the
computer policy. Dukes said the newspaper would not be compelled to
publish the article that Loving writes.
When Loving was contacted by the Student Press Law Center, he said his
attorney asked him not to comment.
Wickstrom called the punishment "Soviet" and said she felt the
university was overreacting, especially since Loving informed the
university of the breach so promptly.
"I feel that the university was fortunate that the person who opened
[the file] told them right away rather than using the identities to buy
meth," she said.
But Dukes said that students are not supposed to download files
containing confidential information, even if they accidentally make it
onto the public server.
"It's a violation to download information that you're not supposed to
have access to," he said. "That's the bottom line and that's the issue."
Although Dukes could not comment on Wickstrom's case directly, he said
that if a newspaper adviser became aware that a student journalist
possessed a file that contained confidential information, the adviser
should "be informing those students of the policy ...and advise them to
be getting rid of that file or turn it over."
Wickstrom said she had about an average knowledge of university policy.
But knowing the policy better would not have changed her actions, she
"I thought my major responsibility was to protect the students' right to
gather information and their responsibility to seek the truth even if it
revealed a university weakness," she said. "I didn't think that the
information was in danger of being leaked from our newsroom or anything
College Media Advisers and the Society of Professional Journalists have
launched investigations into Wickstrom's dismissal.
"It's just shocking," said Kathy Lawrence, the CMA's chairwoman of
adviser advocacy. "As far as I can tell all she did was act like an
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques. Register now for savings on conference fees
and/or free exhibits admission. - www.csiannual.com