Someone in Ohio should have been fired

[This story originally happened in 2007, but I just learned about it, so I blogged about it.  Then I learned that it was a four-year-old story.    Everything here still applies, even if the actual story is old.  But I did re-edit the story and change it’s title because the original wording seems a bit odd four years later. ]

Someone in the office of the State of Ohio should have been fired, and it isn’t the guy who already got fired.  He should get his job back.  This story has me fuming.  I don’t often write blogs like this, but here it goes.

The story as it was published in 2007 was “Intern loses backup tape with 800,000 SSNs on it. Intern fired.”  The real story, in my opinion is what led up to this.  I read this article and this statement from the intern, and learned that the following allegedly happened in the State of Ohio:

1. The State of Ohio used (and may still use) unencrypted backup tapes to store SSNs and names

If your company or government entity is currently making tapes of any kind with SSNs on them then fix it.  Fixing this costs so little now that it is simply unforgivable not to be encrypting your backups tapes — especially if you’re handing them to a dude in a truck.  If you’re handing them to an intern to take them home in a car… well, I really don’t know what to say.

This is not a new problem.  It’s not like we haven’t had hundreds — hundreds — of exposures over the past 10 years that show how bad this practice is.  Ignorance of this problem simply isn’t possible at this point.

2. Employees of The State of Ohio wanted to cover this up

They told the intern to not tell the police that one of the things stolen was a tape with sensitive data on it.  Seriously.  This tells me, of course, that they knew their unencrypted backup tape was a bad idea, and that they needed to keep others from knowing what they were doing.  It also tells me that they were liars.

3. The State of Ohio (a $52B/yr enterprise) had the money to hire $150/hr and $200/hr contractors full time, but didn’t have the money to hire Iron Mountain (and still may not have it)

Seriously.  It had been the practice for apparently 10 years or more for someone to take the backup tapes home in their car.  Do I really need to say why this was stupid?  A hot car is not where tapes should ever be stored — ever.  Asking someone who is off the clock to handle company property of any kind is also wrong.  Tapes — especially unencrypted tapes — should only be handled by professionals with procedures and policies to do such things.

No one ever told this young man what to do with this tape other than to bring it back the next day.  So not only was the practice to have him take it home, the practice was not to even give him any special instructions on how to handle the tape. Wow.

4. These same employees and their lawyer were bullies who needed a scapegoat and found one

The story about how they bullied this young intern into signing a resignation is just tragic.  He asked for an hour to think it over and they said no.  He asked for 20 minutes.  No.  He asked for 10 and they said no.  Just sign the paper.

Jared, if you’re reading this, I would gladly act as an expert witness on your behalf for any kind of wrongful termination lawsuit you want to file. (I know this offer is a little late, but it’s still out there.)

Someone in Ohio should have opened an investigation about the lack of security of taxpayers’ personal information, as well as the details behind this story.  But if that never happened (and I can’t find any evidence that it did), it’s probably too late now.

Written by W. Curtis Preston (@wcpreston), four-time O'Reilly author, and host of The Backup Wrap-up podcast. I am now the Technology Evangelist at Sullivan Strickler, which helps companies manage their legacy data