Data Goofs Preceded Theft

Final Cost to Ohio Taxpayers Could Reach $2.2 Million!

from the Columbus Dispatch

E-mail exchanges among state officials about the theft of a computer backup tape containing sensitive personal information are clear: That material was not supposed to be on the tape.

What's not clear is why orders several months ago to remove the data were not followed, whether anybody will be punished and whether anyone besides taxpayers will be asked to foot the estimated $2.2 million bill related to the theft so far.

State leaders are looking to a report by Ohio Inspector General Thomas P. Charles, expected Friday, to address lingering questions about the incident affecting more than 1.2 million Ohio individuals, businesses and other groups with Social Security numbers or other information on the tape.

"It is my hope … that we will have a clear idea as to why the memo wasn't followed and who was responsible and why there wasn't follow-up," Gov. Ted Strickland said yesterday.

In response to a public-records request by The Dispatch, the Strickland administration has been releasing e-mail and other correspondence about the theft during the past few days.

Records provided yesterday include an e-mail from Budget Director J. Pari Sabety to Chief Information Officer R. Steve Edmonson on June 16, the day after Strickland announced that the backup tape had been stolen from a state intern's car.

"Personally identifiable information was not supposed to be saved on this drive," Sabety wrote, referring to a network drive where system workers primarily stored data from test runs that included personal information.

Despite the orders, Sabety said, "Clearly, there was an open debate … about moving data that needed to be secured."

The executive program manager for the Ohio Administrative Knowledge System, the state's new payroll and accounting system, sent an e-mail more than nine weeks before the theft ordering that Social Security numbers and other sensitive information be moved to a secure part of the system.

There's also discussion among system officials about "locking down" access to the drive until all personal data was secured, as well as talk in an April 2 e-mail about requesting certification from various users that no such data were on the drive.

Key individuals involved in the system have declined to comment until the inspector general's report is released.

"My sense is that efforts were made after the order to clean up the drive and keep it clean, but it's obvious that those efforts didn't carry through into June," said Ron Sylvester, spokesman for the Ohio Department of Administrative Services.

Meanwhile, Strickland confirmed yesterday that his office has discussed trying to hold financially accountable outside contractors who worked on the new system if it is proven they were significantly responsible for not securing the data.

"If we determine that is the case, it is highly likely that we will be interested in talking with them about some cost-sharing," Strickland said.

Although officials say there is no evidence the stolen tape has been used, the state is offering identity-theft services to all affected individuals at a cost to the state of $9.25 each.

As of yesterday, more than 102,900 people had started enrolling, which would cost $951,825 if all of them complete the process. Officials expect to spend $1.5 million on the services; the final bill, including printing, mailing and other costs, could reach $2.2 million.

Sylvester said the state has paid $63.8 million of the $158 million cost of the new system to outside contractors since 2001, with $48.6 million going to Accenture.

Accenture corporate spokesman Peter Soh said company officials "regret that the whole incident happened and any negative impact it could have on the citizens of Ohio."

But Soh said it wasn't Accenture's job to make sure the state data were secure. "Under our contract, Accenture is responsible for following the state's own printed security standards. To the best of our knowledge, we have followed those standards," he said.

Accenture, a business-consulting company that employs 100,000 people in 48 countries, won the unbid, professional-service contract two years ago.

Accenture was fired in 2001 from a $60 million computer project for the Ohio Department of Job and Family Services. At that time, the company agreed to pay the state more than $5 million for failure to complete the Ohio Works projects, aimed at matching unemployed people with jobs.