Who’s to Blame for a Data Breach?
In spring 2006, Ohio University (OU) discovered that it was the victim of five security breaches, some of which had occurred more than a year earlier. One of the incidents included a hack on an alumni-relations server that contained personal data on nearly 140,000 individuals. Another breach that occurred at the school’s health center may have compromised the data of nearly 60,000, including Social Security and medical information.
Upon the discovery, CIO William Sams elected in June to suspend Thomas Reid, his director of communication network services, and Todd Acheson, who served as the school’s Unix systems manager. A few weeks later, Sams took an additional step, terminating both employees.
Acheson and Reid subsequently appealed to a grievance committee. The committee concluded its recommendations in a letter to OU that called for both to be rehired and delivered public apologies. However, in November, provost Kathy Krendel, the school’s ultimate authority on the issue, upheld the decision to fire both workers.
But Krendel did admit that no wrongdoing was involved on the part of either employee. In fact, in her written statement, she concluded that “responsibility for designing and maintaining a secure network resided in your office.” She went on to state that the finding of nonfeasance “does not indicate any intentional or purposeful wrongdoing,” and “does not indicate that you intended to put our data at risk, but in fact, that was the result of failing to take the necessary proactive steps to protect confidential information.”
Within the midst of all of this, Sams, who has served as CIO since 2004 and is under a three-year contract, announced his own resignation from the position. He said that “a new energy level and skill set is going to be required in order to allow our IT organization to realize its potential.”
As a result, associate professor Shawn Ostermann, who has made public his lack of interest in assuming the position permanently, began serving as Ohio University’s acting CIO on Jan. 1. A search continues to find his permanent replacement. Sams will remain on staff in assistance to the provost, but will not be part of the school’s central IT program.
This story begs the question of who is ultimately charged with the responsible use and subsequent protection of personal data—a question that is highly applicable to the extended retail industry (ERI). And while educational institutions, colleges and universities in particular, have become targets of foreign-based cyber criminals and absolute hotbeds of personal data theft, the idea of justice seems altogether disserved by Ohio University’s handling of the matter.
Is a network services manager accountable for a data breach? Is a Unix administrator? Is it outright laughable to apply blame to such employees when no evidence exists that any wrongdoing took place? In OU’s case, further pending litigation will certainly help determine the details of this particular case.
However, as the retail industry is forced to become more diligent in its protection of invaluable consumer data, let us know your opinion about who is ultimately responsible for safeguarding of the customer’s data integrity. Visit our blog (www.retailmattersblog.com) to share your thoughts.
Victoria’s Secret Names New CEO
Columbus, Ohio, Limited Brands Inc. on Monday announced that Lori Greeley will replace Grace Nichols as CEO of Victoria’s Secret Stores. Greeley is currently executive VP and general merchandising manager of intimates for Victoria’s Secret.
The retirement of Nichols, a 20-year Limited veteran, from the CEO post was announced in May 2006. She will take a new role supporting initiatives within Victoria’s Secret, including the growth of its Intimissimi brand.
Additionally, Mark Weikel, COO of Victoria’s Secret Stores, will add the title of president.
Wal-Mart to Focus on Expanding Seiyu
New York City, Wal-Mart Stores is open to acquisition opportunities in Japan, but the retailer is more focused on expanding business at its 53%-owned Seiyu chain, according to a report by Reuters. Shares of Seiyu jumped Monday after Wal-Mart vice chairman Michael Duke told the Nikkei business daily that the company might look for more acquisition opportunities in Japan.
The paper reported that Duke welcomed planned changes in corporate laws in May that will enable foreign companies to buy Japanese firms through share swaps.
Wal-Mart last year tried to invest in superstore operator Daiei Inc., aiming to boost its presence in the country, but it lost the chance to Aeon Co., Japan’s second-biggest retail group.
Wal-Mart entered the Japanese market in 2002 by taking a small stake in Seiyu. It has since invested more than $1 billion in the chain, but has yet to return the retailer to profitability.
Wal-Mart spokeswoman Amy Wyatt said Wal-Mart’s focus in Japan is on Seiyu.
“It’s a very sizable business today, so we still think that there are a lot of growth opportunities in the existing business,” she said.
In terms of acquisitions, she said: “I wouldn’t go as far as to say we’re shopping for them.”