Who’s to Blame for a Data Breach?

In spring 2006, Ohio University (OU) discovered that it was the victim of five security breaches, some of which had occurred more than a year earlier. One of the incidents included a hack on an alumni-relations server that contained personal data on nearly 140,000 individuals. Another breach that occurred at the school’s health center may have compromised the data of nearly 60,000, including Social Security and medical information.

Upon the discovery, CIO William Sams elected in June to suspend Thomas Reid, his director of communication network services, and Todd Acheson, who served as the school’s Unix systems manager. A few weeks later, Sams took an additional step, terminating both employees.

Acheson and Reid subsequently appealed to a grievance committee. The committee concluded its recommendations in a letter to OU that called for both to be rehired and delivered public apologies. However, in November, provost Kathy Krendel, the school’s ultimate authority on the issue, upheld the decision to fire both workers.

But Krendel did admit that no wrongdoing was involved on the part of either employee. In fact, in her written statement, she concluded that “responsibility for designing and maintaining a secure network resided in your office.” She went on to state that the finding of nonfeasance “does not indicate any intentional or purposeful wrongdoing,” and “does not indicate that you intended to put our data at risk, but in fact, that was the result of failing to take the necessary proactive steps to protect confidential information.”

Within the midst of all of this, Sams, who has served as CIO since 2004 and is under a three-year contract, announced his own resignation from the position. He said that “a new energy level and skill set is going to be required in order to allow our IT organization to realize its potential.”

As a result, associate professor Shawn Ostermann, who has made public his lack of interest in assuming the position permanently, began serving as Ohio University’s acting CIO on Jan. 1. A search continues to find his permanent replacement. Sams will remain on staff in assistance to the provost, but will not be part of the school’s central IT program.

This story begs the question of who is ultimately charged with the responsible use and subsequent protection of personal data—a question that is highly applicable to the extended retail industry (ERI). And while educational institutions, colleges and universities in particular, have become targets of foreign-based cyber criminals and absolute hotbeds of personal data theft, the idea of justice seems altogether disserved by Ohio University’s handling of the matter.

Is a network services manager accountable for a data breach? Is a Unix administrator? Is it outright laughable to apply blame to such employees when no evidence exists that any wrongdoing took place? In OU’s case, further pending litigation will certainly help determine the details of this particular case.

However, as the retail industry is forced to become more diligent in its protection of invaluable consumer data, let us know your opinion about who is ultimately responsible for safeguarding of the customer’s data integrity. Visit our blog (www.retailmattersblog.com) to share your thoughts.