Sanctions For Ohio Breach: Lost Vacation Time, Terminations, and a “Resignation”

The Ohio Department of Administrative Services (DAS) has determined that the appropriate sanction for inadequate security practices by the Ohio Department of Administrative Services’ Administrative Knowledge System (OAKS) ERP project system team leader, that resulted in the theft of an un-encrypted backup tape containing the personally identifiable information (PII) of 1.3 million individuals, is the loss of 40 hours of vacation time.


This data breach will reportedly cost the state of Ohio around $3 million.
The sanctioned team leader, Jerry Miller, who lost the vacation time, acknowledged he contributed to a “management glitch.”

“Though the administrative services unit was responsible for the data, Sylvester [a spokesperson for the Ohio DAS] said the tape was handled by a number of people from other state agencies.
“Part of the problem is [the data] was outside of any one single person’s hands. There were people who were not full-time tasked to OAKS who were coming in from agencies doing data migration and testing and introducing data on the drive,” said Sylvester. “We believe we had some contractors who continued to introduce data on the drive.”

According to a BNA report Miller did not follow procedures to move the data to a secure directory, although he was told to do so three months prior to the breach.
The backup tape was stolen from a state intern’s unlocked car.
An audit following the incident revealed that the PII for as many as 1.3 million people were vulnerable to crime, misuse and identity theft as a result of the incident.
The state of Connecticut later sued Accenture, one of its information technology contractors, for unauthorized use of “virtually all of Connecticut’s state financial account data as well as taxpayer information that was revealed to have been contained on the stolen Ohio backup tape.”
Ohio’s Inspector General applied sanctions to a total of 5 individuals for the incident.
1) Miller had 40 hours of vacation time taken away
2) The intern who had the tape in the unlocked car was fired
3) The manager for the intern “resigned”…not a direct sanction, but he very well could have been encouraged to leave because of the incident
4) & 5) The contracts for two consultants involved with the project were terminated
No one was prosecuted for criminal activities because a “series of poor decisions led to the theft”…it did not appear to be a pre-meditated malicious act.
It was just plain ol’ bad security practice.

“”The next time the state takes on a project of this scope, we’re going to have people on the job whose major responsibility is just data security,” he added.”

That’s good to know! It is good they learned the importance and value of information security…too bad it so often takes a security incident such as this for organizations to learn this lesson.
There are so many lessons involved with this incident. A few of these lessons include…
1) Someone with experience and knowledge in information security must be involved, from the very beginning through to the very end, within systems and applications projects.
2) All personnel involved with handling systems, applications and PII, including interns, contractors and consultants, must receive training and ongoing awareness communications so that they know and understand their responsibilities for safeguarding PII.
3) Mobile PII, that which is passed through networks or stored on mobile computing devices and mobile storage devices, should be strongly encrypted so that if the devices are lost or stolen, or the PII intercepted during network transmission, the unauthorized thief will be unable to do anything with the encrypted PII.
4) Sanctions must be applied consistently when security and privacy policies and procedures are not followed. This is the most effective way to motivate personnel and business partners to comply with policies and procedures.
5) Be sure your third party contracts, such as with consultants and contractors, include detailed security requirements, such as forbidding them to take your organization’s data to another of their client’s sites, or to put your data on the same storage media as for another of their clients. This tape in Ohio should never have had client data from the contractor’s Connecticut client stored upon it.
6) Only give individuals access to PII that need it to perform their business responsibilities.

Tags: , , , , , , , , , , , ,

Leave a Reply