Aug. 29, 2007
The Ohio Court of Claims today ruled in Ohio University's favor, dismissing a lawsuit that two Ohio University alumni filed more than a year ago.
The plaintiffs had asked the court to require Ohio University to pay for credit monitoring services in the wake of computer server breaches it discovered in spring 2006.
The university argued that no one subject to the security breaches had been financially damaged and that the plaintiffs were basing their claim on vague fears that harm could occur in the future. Additionally, the plaintiffs' definition of a "class" in their plea for a class action suit was not legitimate, the university contended.
Judge J. Craig Wright granted the university's motion to dismiss, saying the plaintiffs failed to prove that the breach caused damages for which they could be compensated.
"I understand how people felt when they learned that their data may have been exposed, because I was one of those people," said Ohio University President Roderick J. McDavis, a 1970 alumnus. "It can be frightening to think your personal information could be vulnerable.
"No individuals have suffered losses from this, though, and we remain hopeful that no one ever will," McDavis said. "I am pleased that the court agrees."
Donald Jay Kulpa of Cincinnati and David Neben of North Bergen, N.J., filed the complaint on June 23, 2006. As of today, the university's Legal Affairs office still has not received any substantiated cases of identity theft or fraud associated with the breaches.
After examining the systems in the wake of the compromises, information-technology analysts concluded that the hackers' reason for accessing university servers was to share and store music and movie files.
McDavis called upon national data security experts and formed a Security Incident Response Team immediately following the breaches and directed the group to take swift actions to close the gaps. The university also helped those affected to access free credit monitoring services.
The alumni association was among many who believed that the university took the right steps.
In an affidavit submitted to the court, then-chairman of the Ohio University Alumni Association Ronald H. Iori, stated:
"The association does not support the plaintiffs' effort to certify this case as a class action, nor does it support the plaintiffs' contention that Ohio University pay for credit monitoring services for all alumni.... The millions of dollars required to pay for credit monitoring for 173,000 people would, in the association's view, be better spent on efforts to improve the university's computer resources and security to ensure that no further compromises occur."
Within weeks of the security breaches, the university established an aggressive 20-point plan for strengthening data security, IT operations, hardware, staffing, training and planning. It already has eliminated most unnecessary uses of Social Security numbers and encrypted others when necessary; secured perimeter firewalls; and increased staffing, improved funding and developed detailed plans for IT operations at the university.
McDavis also hired a new chief information officer, J. Brice Bible, who continues to plan and implement new strategies, along with his team of staff and advisers.
"Ohio University's computer staff members have worked very hard over the last year to dramatically strengthen our data security. We began immediately and continue to take the steps necessary to try to prevent security breaches from happening on our campus," McDavis said.