It seems the firings of two IT workers at Ohio University last August has been upheld. Tom Reid, former director of communication network services, and Todd Acheson, former UNIX systems manager, were fired after security breaches exposed 173,000 files containing Social Security numbers, names, medical records and home addresses.
The two were not found guilty of, nor were they even accused of, intentionally putting data at risk, but the University Provost stated that they "failed in their responsibility for designing and maintaining a secure network."
Lawyers for the two ex-employees say that Reid and Acheson had been "submitting proposals for years that would have prevented the problems, but the higher-ups at the university refused to implement or fund them." That scenario is not difficult to imagine. If you've ever been in IT and tried to push an initiative through executive management, you know hard it is. This happens very frequently with business continuity issues where top brass doesn't want to spend money on "what-if" propositions.
Do precedents like this scare you? Or do they happen all the time but just don't make the courtroom?