In letters Wednesday to the two former IT employees, Provost Kathy Krendl said she reviewed and the grievance committee's three-page recommendation but concluded the firings were justified. Krendl has the final authority in such matters under the policies of the Athens, Ohio-based school.
Thomas Reid, director of communication network services (CNS), and Todd Acheson, Unix systems manager at the CNS unit, were fired in August by the university's CIO, Bill Sams, on the grounds of "nonfeasance."
"I must conclude that responsibility for designing and maintaining a secure network resided in your office," Krendl wrote Wednesday in separate two-page letters to Reid and Acheson. "I support Mr. Sams' finding of nonfeasance, noting that this finding does not indicate any intentional or purposeful wrongdoing. It does not indicate that you intended to put our data at risk, but in fact, that was the result of failing to take the necessary proactive steps to protect confidential information."
Krendl could not be reached for comment, but her office issued a statement on the university's Web site.
In her letters to the former employees, Krendl wrote, "The central issue was and is the need for a secure network that is designed to protect highly sensitive and confidential information. Clearly this responsibility lies within the purview of those who oversee and maintain the network.
"Based on the repeated data breaches, it is clear that we had not designed or implemented the necessary protections to secure student, faculty, staff, and alumni information," she wrote. "How such security can best be attained may be a subject of considerable debate, but whether such security is essential to our network is not."
Jack Jeffery, a spokesman for OU, had no comment on the decision. Sams, reached in his office today, also declined to comment. Sams from his post in July but has remained on the job until a replacement is hired.
Reid and Acheson could not be reached immediately for their reactions.
Frederick Gittes, a Columbus, Ohio-based attorney representing Acheson, called Krendl's decision "shameful." "This is predictable, because Krendl was part of the original decision anyway," Gittes said. "The provost and the other members of the OU administration are prepared to destroy lives in order to cover up their own failures. They should be ashamed.
"Her letter provides no information" on how Acheson was responsible for the technical shortcomings in the university's network systems that were ultimately Sams' responsibility, Gittes said. "This is a kangaroo review. It demeans the process on the [grievance] committee because it doesn't really address their findings."
A total of five security breaches came to light at OU in April, May and June. A break-in on a server that supported alumni relations exposed personal data belonging to about 137,000 people and went undiscovered for more than a year. A similar incident on a system at the school's health center may have exposed Social Security numbers, dates of birth, patient IDs and clinical information on nearly 60,000 people.
Acheson and Reid were first from their jobs in June and then fired. In addition to their internal grievances, a lawsuit filed against the university on their behalf is pending in a court in Athens County, Ohio.
The discovery of the first three breaches prompted the school to hire a consulting firm to conduct a sweeping review of its systems and its IT organization. The review uncovered the other two breaches, and the consultants recommended a restructuring in IT to eliminate what they described as a siloed culture with quasi-combative relationships among different groups.
In late July, Sams and Krendl announced a 20-point IT action plan that included a series of technology investments as well as procedural and organizational changes.