Wrongful Acts and Omissions

by Kent Strickland, ITS Information Security Officer

By now, many of you are aware of the state of Ohio information breach resulting from the theft of a backup tape from an intern’s car.
A report on the investigation by the Ohio Office of the Inspector General (OIG) is available through 

http://watchdog.ohio.gov/investigations/2007190.pdf.

All BGSU employees are encouraged to read the OIG report. Perhaps by reviewing details from the report, similar mistakes can be prevented on our campus.

In this issue of Connect, Tom Roberts reviews the OIG report from the perspective of a victim, which is appropriate considering that on average over half of all Americans have been the victim of a (reported) sensitive information exposure in just the last 2-1/2 years (source–www.privacyrights.org). Since many at BGSU handle sensitive information in some way, it is useful to weigh the impact of an exposure on those to whom the information pertains–they are people, not data. Since most exposures are preventable or could be mitigated, in this article I will be analyzing the same OIG report from the perspective of a business process analyst.

Seldom does an information exposure result from a single unforeseeable technical problem or event. Breaches can usually be traced to multiple and sometimes cascading failures to effectively identify a weakness or threat in advance, or to properly act on that information. 

These errors are identified as “wrongful acts or omissions” in ensuing investigations.
The theft of a backup tape was not the cause of the Ohio breach; rather, it was the consequence of a series of failures to recognize underlying process weaknesses and to overcome those using widely known best practices.

For example, in the report, we learned that in December a Department of Administrative Services supervisor sent a spreadsheet containing Social Security numbers to 70 state employees in various agencies with the simple objective of correcting email addresses.

In February, an assistant state auditor discovered that access could be gained to an Ohio Administrative Knowledge System (OAKS) intranet by using an old ID and password obtained by undisclosed means. The auditor was then able to access Social Security numbers of personnel. Immediate action was taken to assign interns to sanitize the intranet shared file system, to continuously watch for new sensitive information to appear and then to move it to a more secure area. Unfortunately, while this was a prudent activity, it was like bailing water from a leaking boat without attempting to plug the leaks or to prevent the cause of the leaks. These leaky data management processes resulted in sensitive information being written repeatedly to the intranet file system that was backed up to tapes without encryption. This was completed under the direction of an intern and then transported off site by another intern.

In May, human resources personnel at the Ohio Court of Claims could inadvertently access Social Security numbers, bank account numbers and other sensitive information on the OAKS intranet.

Failures of confidentiality, integrity or availability were already occurring. Warning signs were clear. Symptoms were (sometimes) treated, but not causes.

The OIG reviewed “work culture, policies and procedures.” Looking at policies and procedures makes sense, but good security practices at the data handling stages are required to prevent or mitigate an exposure. Security plans and strong attention to detail are required. These seem to have been sacrificed by the strenuous pace of the OAKS project. Simply stated–“haste makes waste.” Unfortunately, the burden of the personal information “waste” (cost and inconvenience) is transferred to innocent third parties–state
employees and taxpayers.

Are similar problems evident in your area? The lack of strategic and risk management processes could result in wrongful acts and omissions that threaten the information privacy of innocent parties. The best advice is to seek knowledge and training.