"I appreciate the Inspector General's thorough review of the circumstances surrounding the theft of the state data device. The state is taking every precaution to ensure that this type of incident is prevented from occurring again," Strickland said. "We are attempting to hold accountable those determined to bear some responsibility for placing the sensitive, personal information of so many Ohioans at risk."
The Inspector General investigation determined that: "OAKS administrators failed to protect confidential information by authorizing state employees, including college interns, to take backup tapes containing sensitive data to their homes for overnight storage"; "OAKS, OIT (Office of Information Technology) and OBM (Office of Budget and Management) officials failed to report the theft of confidential information to state and law enforcement officials in a timely manner"; and "OAKS administrators failed to protect confidential information by allowing personnel to store sensitive data in an unsecured folder on the OAKS intranet." The Inspector General found no evidence to suggest state agencies or employees engaged in criminal or illegal behavior surrounding these circumstances.
The full Inspector General report can be found here: www.watchdog.ohio.gov.
Based on the findings, the Inspector General made seven recommendations, listed below. Following each recommendation are the state's actions in response.
IG Recommendation:
1. OBM, DAS and OIT should take appropriate disciplinary action against individuals responsible for losing the data tape; failing to ensure that Hilliard police were apprised of the potential seriousness of the theft; downplaying the seriousness of the theft to supervisors; and failing to ensure that sensitive information was removed from the OAKS I: drive.
State's Action:
For the reasons outlined in the report:
A. The Department of Administrative Services has accepted the resignation of OAKS Project Manager David White.
B. The Office of Budget and Management, after asking for his voluntary resignation and being refused, has discharged Intern Jared Ilovar.
C. The Office of Budget and Management has terminated the OAKS consulting contract for Compuware employees Avadhut Kulkarni, immediate supervisor to OAKS interns, and Brian Welch, OAKS assistant program manager.
D. The governor has directed Department of Administrative Services Director Hugh Quill to begin the appropriate classified employee administrative disciplinary review with respect to OAKS Team Leads Phil Rowe and Jerry Miller.
E. The Office of Budget and Management will place an outline of the Inspector General's report findings concerning former OAKS Technical Manager Carl Miller (retired as of June 1, 2007) in his personnel file.
F. The governor has met, today, with OIT Director Steve Edmonson to express his concern regarding the lack of rapid communication surrounding this incident.
IG Recommendation:
2. OBM, DAS and OIT should conduct an administrative review of all state agencies, boards and commissions to determine whether they have authorized employees to take home backup tapes for storage and, if so, order them to cease.
State's Action:
The governor called for the cessation of the longstanding practice of sending sensitive data storage devices home with employees after learning of the data device theft on June 14, 2007. The Office of Information Technology has directed all agencies to cease any such conduct.
An administrative review of all state boards and commissions is underway.
IG Recommendation:
3. OBM, DAS and OIT should ensure that all state agencies, boards and commissions utilize a secure method of storage for sensitive computerized data.
State's Action:
The governor issued an executive order (Executive Order 2007-13S: Improving State Agency Data Privacy and Security) June 15, 2007 requiring all state agencies to utilize a secure method of storage for sensitive computerized data.
The Office of Information Technology is currently ensuring that all agencies, boards and commissions utilize a secure method of storage.
IG Recommendation:
4. OBM, DAS, and OIT should ensure that the OAKS project is brought under the jurisdiction of OIT's Security Incident Response policy.
State's Action:
This was accomplished through the governor's June 15, 2007 executive order (Executive Order 2007-13S: Improving State Agency Data Privacy and Security).
IG Recommendation:
5. OBM, DAS and OIT should ensure that a thorough security analysis of the OAKS project is conducted. We understand that Interhack Corporation is including this analysis in its scope of work. In addition, regular third-party security audits should be conducted to ensure the confidentiality, reliability and integrity of OAKS data. Policy reviews should be included as part of these regular audits.
State's Action:
The state contracted with a Columbus-based firm, Interhack, dedicated to computer trustworthiness and information protection to conduct an independent, third-party security assessment of OAKS security. This was called for in the governor's June 15, 2007 executive order (Executive Order 2007-13S: Improving State Agency Data Privacy and Security).
Ohio has conducted regular third-party security audits and will add policy reviews to subsequent audits to ensure the confidentiality, reliability and integrity of OAKS data.
IG Recommendation:
6. OAKS should designate a chief security officer who is responsible for performing data security-related duties. This person, who should not be a contract employee, should be granted authority to make decisions regarding all information-security issues.
State's Action:
The state will designate a chief security officer for OAKS on or before August 31, 2007.
IG Recommendation:
7. OBM, DAS and OIT should determine whether there is shared liability with contractors assigned to the OAKS project for costs associated with the theft of the tape.
State's Action:
The state has had initial discussions about the shared responsibilities and costs associated with the theft of the tape with both key contractors, Accenture and Compuware.
It remains unlikely that someone can access the data contained in the device without specialized knowledge and equipment. The State of Ohio has no information to date that the data has been accessed, but continues to encourage everyone to take preventative precautions.
"We have seen no evidence to suggest the data has been compromised," Strickland said.
A review of the information contained in the stolen data device is ongoing until every piece of sensitive information is identified with the assistance of a data forensic expert.
The Inspector General Report of Investigation concluded with the following:
"If there is a silver lining to be found in this matter, it is that despite the many poor decisions that were made, there appears to be little risk to state employees, taxpayers and vendors. Based on our interviews with data-security experts, the technical complexity of retrieving the data makes the possibility that it will be used for criminal purposes remote."
