By Brian Fonseca
October 10, 2007
An Ohio state official must surrender about a week of future vacation
time as punishment for not ensuring the security of personal data stored
on a stolen backup tape holding Social Security and other personal data.
The tape was pilfered in June from the car of an intern responsible for
carrying data used by the Ohio state government's computer systems.
Jerry Miller, payroll team leader for the Ohio Department of
Administrative Services' Administrative Knowledge System (OAKS) ERP
project, was informed of the decision by department officials on Sep.
26, said Ron Sylvester, a spokesman for DAS. Miller accepted the
penalty, Sylvester said.
Sylvester described Miller as a "stellar longtime DAS employee" and said
he has been forthright in acknowledging his role in the "management
glitch" pertaining to the stolen backup tape.
Last month, the state announced that an investigation by computer
forensics experts at Interhack Corp. in Columbus, Ohio, had determined
that the missing tape contained data on all 64,467 state employees,
19,388 former employees and 47,245 Ohio taxpayers.
The data breach is expected to cost the state upwards of $3 million.
Though the administrative services unit was responsible for the data,
Sylvester said the tape was handled by a number of people from other
"Part of the problem is [the data] was outside of any one single
person's hands. There were people who were not full-time tasked to OAKS
who were coming in from agencies doing data migration and testing and
introducing data on the drive," said Sylvester. "We believe we had some
contractors who continued to introduce data on the drive.
"One lesson that the state learned is that we need to throw more
resources at security and privacy when we have an issue like that," he
A third party brought in from Ohio's Office of Collective Bargaining
investigated the incident and recommended the penalty, Sylvester said.
"The next time the state takes on a project of this scope, we're going
to have people on the job whose major responsibility is just data
security," he added.
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques. Register now for savings on conference fees
and/or free exhibits admission. - www.csiannual.com