An Epic employee testified during a deposition that the company intended to deactivate the TCS employee’s account. But the account was mistakenly marked “expired,” which allowed the TCS employee to reactivate his account and use it during 2013 and 2014, according to court documents.
Epic failed to deactivate a TCS employees credentials, allowing the employee to continue to access TCS’ systems for two more years and use Epic’s IP in future TCS’ consulting engagements. Epic then sued TCS winning $994 million. Of course, had Epic deactivated the third-party employee’s account, access would have been prevented, thus making the following statement slightly humorous.
“This is basically every CIO and CISO’s nightmare – unauthorized access to sensitive data and information by offshore contractors that are a direct or indirect part of their supply chain,” said Avivah Litan, vice president and distinguished analyst at Gartner in an email.
I’m not sure if the nightmare is access to your IP by an offshore contractor or your failure to terminate a third-party’s credentials!
Of course, training and monitoring might have saved TCPS $944 million.
The dispute arose in 2011 when Kaiser, which is not a party to the lawsuit, contracted with TCS to test new versions of Epic software before it was installed. Epic expressly did not allow anyone from TCS to access its Web portal containing product materials, updates, training materials and other documents detailing the software and its data model. If anything was needed from the portal, it had to be accessed by a Kaiser employee.
Another chuckle-inducing statement:
“A common mistake is that you codify the terms of engagement in a legal document but you don’t adequately monitor or audit those things,” Jon Oltsik, senior principal analyst at the Enterprise Strategy Group, told CIO Journal.
I’m not sure how often this is a mistake, but rather a deliberate decision by management interested in cutting costs- a penny wise, but a pound foolish.