By Jim Phillips
Athens NEWS Senior Writer
Ohio University fired information-technology officials Tom Reid and Todd
Acheson in August 2006 for allegedly being too sloppy about protecting
information on OU computers.
Now the university's lawyer has asked a judge handling a lawsuit filed
by Reid and Acheson to order the men to return sensitive
computer-related documents that OU gave them by accident.
In a motion filed Oct. 5, OU attorney Andrew J. Mollica informed Athens
County Common Pleas Judge Michael Ward that when the university provided
discovery materials, it "inadvertently included" some documents that OU
believes are legally protected, at least in part, from being turned
"Ohio University believes that dissemination of the unredacted documents
may result in further compromise of its computer system," the motion
Mollica has asked Ward to order Reid and Acheson's attorneys to give the
documents back, and to refrain from disseminating or using them in any
Reid was head of OU's Communication Network Services and Acheson was the
department's UNIX systems manager. Both were fired in the wake of a
well-publicized security breach, in which OU databases were found to be
exposed to potential hackers on multiple occasions in spring 2006.
This opened access to personal data including Social Security numbers on
tens of thousands of students, staffers, contractors, alums and donors,
though it's not clear if any were stolen.
Last fall, an OU grievance committee recommended Acheson and Reid be
reinstated, but OU Provost Kathy Krendl upheld their termination.
The two have sued OU in Common Pleas Court, over the university's
refusal to release all records they have asked for in connection with
OU maintains it has made adequate efforts to comply with what Mollica
has called a voluminous records request, in a suit he labels in one
court document as "nothing more than a veiled employment action."
A central point of contention is a report compiled for OU by an outside
company, Moran Technology Consulting, which investigated the security
breach. Reid and Acheson maintain Moran's report, which assigned them a
large measure of blame in allowing the breach, played a big role in
getting them fired.
They also contend that OU broke the law when it allowed Moran to dispose
of interview notes used in creating the report. Some of these were later
recovered, though OU continues to maintain they are not public records.
Now it appears that OU has given at least some of the disputed material
to Reid and Acheson by mistake.
Mollica's motion states that the inadvertently released materials were
"unredacted copies of Moran drafts and interview notes," though not a
full copy of the report itself. (OU has issued a version with some
material, which the university claims could further compromise its
computer security, blacked out.)
OU also has asked Ward to grant it partial summary judgment, and dismiss
a request by Acheson and Reid for a court order to compel OU to produce
Attorney Fred Gittes, who represents the fired OU employees, said
Tuesday that he has no intention of using or releasing the documents in
question until the court decides whether they're public - an issue he
said "goes to the heart of the case."
He disputed Mollica's claim that the records lawsuit is only an
employment action in disguise - a claim that he said "shows OU's
ignorance, or hostility, to Ohio's Sunshine laws... We are trying to get
information about important developments that are of great public
interest. I can't over-emphasize that."
OU officials contacted for comment did not return a call by press time
IN A DEPOSITION by Moran President Charlie Moran, meanwhile, the IT
consultant whose company's report is at the center of the controversy
has claimed that an attorney in OU's Legal Affairs office basically gave
him the green light to destroy his interview notes.
Under questioning by James Colner, an attorney for Reid and Acheson,
Moran said that when his company got the contract to investigate OU's
security breach, he was assured by then-Chief Information Officer Bill
Sams that while the final report would be subject to public-records
disclosure, the company's interview notes would not.
"Bill Sams said, 'I checked with legal; you're good to go. Yes, (your
notes) can be confidential. And the only thing that's subject to open
records is the final report,'" Moran testified.
After the report came out, however, and Reid and Acheson began asking
for documents, Moran testified that he asked OU associate legal director
Barb Nalazek during a June 2006 phone call about whether he needed to
preserve the notes.
"I... explained to her that our company policy-wise is, on broad
projects like this, because these notes tend to get misinterpreted, or
have bullets and then they have confidential information in them, we
tend to destroy all interview notes when a project is done just as
policy," he testified.
Moran went on: "I said, 'At this point, you know, we were planning just
to destroy them as is our normal corporate policy.' (Nalazek) said,
'Well, that's up to you do do.' I said, 'As far as I know, you know,
that's the agreement we've had.' I said, 'Are you telling me I have to
keep them?' And she says, 'Well, no. But I am telling you Ohio
University is not telling you to destroy them. OK?' And I said, 'Well,
OK. But based on our agreement when we started the project, then, you
know, we'll probably be destroying these things, just because we don't
keep them around.'"
Moran acknowledged that he had no documentation showing that the call he
described took place.
Colner asked him if he left the conversation with the impression that OU
had authorized him to destroy the notes. Moran said he wouldn't use that
wording, but that he did leave the conversation feeling that he had been
told "that I had an option to do whatever I wanted to do with (the
notes)," and after the call, "we deleted them."??
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques. Register now for savings on conference fees
and/or free exhibits admission. - www.csiannual.com