Grievance panel: Ohio U. should rehire fired IT execs

Committee finds that two managers weren't to blame for security breaches

A grievance committee at Ohio University is recommending that two top IT managers who were fired in August following a series of data breaches should be rehired and given public apologies for their dismissals.

In a three-page letter dated Oct. 1 that was obtained by Computerworld, the grievance committee also criticized outgoing CIO William Sams for not recognizing and addressing serious problems within OU's IT organization before the security breaches were discovered last spring.

Sams pinned the blame for the breaches primarily on the two fired IT managers, saying in his termination notices to them that they should have done more to secure the school's systems. But in its letter, the grievance committee wrote that OU's formal claims of malfeasance against the two managers were "unfounded" based on the evidence presented to the panel.

The matter now is before OU Provost Kathy Krendl, who will make a final ruling on the status of the IT managers. Krendl couldn't be reached today for comment on the grievance committee's recommendations or when she expects to issue her ruling.

The grievance committee said that Todd Acheson, who was OU's Unix systems manager, and Thomas Reid, formerly its director of communication network services, should receive back pay and benefits and that the Athens, Ohio-based school "should make a good-faith effort to find suitable employment" for them.

Ten days before Acheson and Reid were fired, the jobs they had held were eliminated as part of a reorganization of OU's IT department. The grievance committee wrote that if other positions aren't available for them now, they "should remain under contract for the remainder of the academic year and be provided with assistance in finding external employment."

The committee's letter said there was "ample evidence" that both men were fulfilling the specific security roles in their job descriptions and that OU's security problems didn't stem from their work activities. "There was no clear duty or authority granted to Mr. Reid or Mr. Acheson to develop IT community policies or procedures or to implement a plan for total network security," the panel wrote.

A large part of the problem, the grievance committee added, was that Sams didn't "appreciate the gravity of IT problems" at OU before the security breaches were discovered. The school's IT staff had been "fragmented and disjointed for many years," the panel wrote, noting that the department's "dysfunctional organizational structure and [its] lack of leadership continuity were exacerbated by the strong personalities of Mr. Reid and Mr. Acheson."

The failure of Sams to address those issues within the first six months of becoming CIO in September 2004 "was inappropriate for this level of administration," the grievance committee wrote.

Sams declined to comment on the grievance committee's letter today but said he awaits Krendl's final ruling on the possible rehiring of Acheson and Reid. "Obviously, I will abide by her decision," said Sams, who announced in July that he would resign once a replacement is found. At the time, he said that "a new energy level and skill set is going to be required in order to allow our IT organization to realize its potential."

Both Acheson and Reid said this week that they were happy with the committee's findings.

"To have an independent committee vindicate Tom Reid and myself is a wonderful thing," Acheson said. "It just supports the story we've been telling all along, that our firings were unjustified."

"I'm very pleased with this first step in clearing my name," Reid said. "I'm cautiously optimistic that the university and I will be able to put this situation behind us."

Frederick Gittes, an attorney in Columbus, Ohio, who is representing Acheson, called the grievance committee's report "the first step in a long process of [both men] getting their reputations back."

A total of five security breaches came to light at OU in April, May and June. A break-in on a server that supported alumni relations exposed personal data belonging to about 137,000 people and went undiscovered for more than a year. A similar incident on a system at the school's health center may have exposed Social Security numbers, dates of birth, patient IDs and clinical information on nearly 60,000 people.

Acheson and Reid were first suspended from their jobs in June and then fired. In addition to their internal grievances, a lawsuit that was filed against the university on their behalf is pending in a court in Athens County, Ohio.

The discovery of the first three breaches prompted the school to hire a consulting firm to conduct a sweeping review of its systems and its IT organization. The review uncovered the other two breaches, and the consultants recommended a restructuring in IT to eliminate what they described as a siloed culture with quasi-combative relationships among different groups.

In late July, Sams and Krendl announced a 20-point IT action plan that included a series of technology investments as well as procedural and organizational changes.

First look: Office 2019’s likeliest new features
Shop Tech Products at Amazon