AOH :: ISN-2982.HTM

Alums who sued over data breach fight OU's dismissal motion




Alums who sued over data breach fight OU's dismissal motion
Alums who sued over data breach fight OU's dismissal motion



http://www.athensnews.com/issue/article.php3?story_id=25861 

By Jim Phillips
Athens NEWS Senior Writer
2006-09-07

The attorney for two Ohio University alumni who sued the university
for letting computer hackers access their Social Security numbers has
responded vigorously to a bid by OU to have the case thrown out of the
Ohio Court of Claims.

Cincinnati attorney Marc D. Mezibov's firm represents OU alums Donald
Jay Kulpa and Kenneth D. Neben, of Cincinnati and New Jersey,
respectively.

Mezibov argued in a recent court filing that in moving to have the two
men's suit dismissed, OU "attempts to hurriedly dispose of this case
without having to answer any important questions about its failure to
protect the private information, including Social Security numbers, of
an estimated 173,000 students and alumni."

Kulpa and Neben sued the university June 23, over a series of
incidents in which computer "hackers" accessed OU databases containing
personal information on thousands of students, alums, donors and
subcontractors.

The two want to have their suit classified as class-action litigation,
on behalf of all the people affected by the computer security
breaches. They seek to have OU pay for credit-monitoring services for
all the plaintiffs.

OU's state attorney has asked Judge Clark B. Weaver, Sr., to either
dismiss the suit, or grant summary judgment in OU's favor.

Randall W. Knutti of the Ohio Attorney General's office has argued
that the tens of thousands of people whose computer files were
accessed "could never constitute a class" in a legal sense, because
all they have in common is the fact that someone gained access to
their Social Security numbers.

Knutti also contended that the plaintiffs can't point to any actual
damages they've suffered from the security breaches, but base their
claims only on "a generalized fear of future harm."

Mezibov replied in a memorandum filed Aug. 28 that "the crux of OU's
argument is that plaintiffs and the putative class 'have not been
harmed in any way.' Yet in the same breath, OU admits that it issued
letters to plaintiffs warning them of the serious risk of identity
theft caused by its breach, admits that 33 individuals have reported
actual identity theft, and most astoundingly, admits that the putative
class members 'someday might be harmed as result of these security
breaches.'"

He goes on to slam OU for its dismissal motion that he claims "ignores
the record, ignores procedural and substantive law, and engages in
irrelevant attacks against plaintiffs' counsel simply for seeking to
hold it accountable for its undisputed failures."

Mezibov has asked Judge Weaver to either deny OU's motion, or postpone
considering it until after Mezibov has a chance to rebut its claims.

The attorney argued in his memorandum that OU relies on evidence
outside the legal complaint to support its request for dismissal or
summary judgment.

These include "a large number of affidavits and documents outside the
complaint - some of which are unauthenticated and inadmissible
hearsay," Mezibov maintained.

In support of Kulpa and Neben's claim that the security breaches
inflicted damages on them, Mezibov cited Ohio Supreme Court rulings
that he said have "repeatedly acknowledged the harm attendant to a
government entity's disclosure of an individual's Social Security
number."

These include a 1994 case involving the Akron Beacon Journal and the
city of Akron, in which the court wrote that disclosure of a Social
Security number to an unscrupulous individual is "potentially
financially ruinous" to the holder of the number.

Though OU has claimed that Kulpa and Neben cannot point to any actual
injury, Mezibov calls this assertion "simply incorrect. Plaintiffs
allege repeatedly that they have been injured by OU's failure to
protect their confidential information."

AN ATHENS WOMAN, meanwhile, has filed a pair of unlikely federal
lawsuits connected to the security breaches, naming as defendants OU
and Moran Technology Consulting, a company that investigated and wrote
a report on the hacking incidents.

In suits filed in June and July without benefit of legal counsel,
Cinseree Johnson has demanded $1.5 million in damages from each of the
two defendants.

She alleges that before the security breaches, she had submitted
"numerous requests" to OU asking that her personal data not be stored
electronically, and expressing concerns about possible data theft,
which she claims OU ignored.

She alleges that Moran "destroyed documents pertaining to an Ohio
University audit which they conducted. With this act, the company
destroyed documentary evidence and obstructed a pending proceeding."  
(The company had said it disposed of notes it used to write its
report, though recently it announced that it had found electronic
copies of the notes in old e-mails.)

OU has moved to have both the cases dismissed.



_________________________________
HITBSecConf2006 - Malaysia 
The largest network security event in Asia 
32 internationally renowned speakers 
7 tracks of hands-on technical training sessions. 
Register now: http://conference.hitb.org/hitbsecconf2006kl/ 

Site design & layout copyright © 1986-2014 CodeGods