  * Case Number: a20110228.1
  * Status: Closed
  * Claimants: Fabian K
  * Respondents: CAcert
  * Case Manager: MartinGummi
  * Arbitrator: UlrichSchroeter
  * Date of arbitration start: 2011-02-28
  * Date of ruling: 2011-03-23
  * Case closed: 2011-03-23
  * Complaint: mistakenly moved ticket in the wrong queue

  * Relief: TBD

Before: Arbitrator UlrichSchroeter (A), Respondent: CAcert (R), Claimant: Fabian K (C), Case: a20110228.1


== History Log ==
 . 2011-02-28 (issue.c.o) case [s20110228.79]
 . 2011-02-28 (A): added to wiki, request for CM / A
 . 2011-02-28 (A): I'll take care about this case as (A)
 . 2011-02-28 (CM): I'll take care about this case as (CM)
 . 2011-02-28 (A): sent initmailing to (C) with CCA/DRP acceptance request
 . 2011-02-28 (SE1): proposals for handling support ticket
 . 2011-03-01 (A): Intermediate Ruling
 . 2011-03-01 (A): Intermediate ruling notification sent to participiants, with Exec request to Lists-Admins, Support
 . 2011-03-01 (A): moved ticket [s20110228.79] to Support-Engineer queue within OTRS with addtl. notes about A-word variation
 . 2011-03-01 (C): accepts CCA/DRP
 . 2011-03-01 (A): order to Infrastructure t/l for removal of mail from archive as given by the intermediate ruling
 . 2011-03-01 (IS t/l): confirms removal of email from archiv (thru irc)
 . 2011-03-01 (Support): [s20110301.10] questions sent to Pwd reset procedure participients following intermediate ruling part 3
 . 2011-03-01 (Support): [s20110301.10] finished execution of the the Intermediate ruling on Supports part. 
 . 2011-03-01 (Support): [s20110301.10] notification rcvd from ticket# participiant after closing the ticket
 . 2011-03-04 (A): report to (AS1), (M1), with request for acceptance of (C)'s apologize or if users wants to take any further action
 . 2011-03-04 (A): Incident Report under SP 5.6 sent to board-private, (Support t/l), (C)
 . 2011-03-04 (A): requesting statement from (Support t/l)
 . 2011-03-05 (Support t/l): sends statement
 . 2011-03-06 (AS1): I accept Fabian apologies and the solution adopted for solving this issue.
 . 2011-03-06 (M1): For sure I accept Fabian apologies. Is  interested in the measures to be adopted by CAcert to minimize human errors
 . 2011-03-06 (Board): [[Brain/CAcertInc/Committee/MeetingAgendasAndMinutes/20110306|Committee Meeting 2011-03-06]] topic 2.7 Incident Report following SP 5.6 under a20110228.1 (Ulrich) 
 . 2011-03-07 (A): are there any measures that can be adopted by CAcert to minimize human errors in Support area ? to (Support)
 . 2011-03-07 (SE-MM): Training is the only method that I can think of
 . 2011-03-16 (Support): [[Support/Team/Meetings/2011-03-16|Support Team Meeting 2011-03-16]] proposal for CATS alike Test for Triage members
 . 2011-03-23 (A): phone interview (Support t/l) regarding OTRS read only modes, Triage test to production: OTRS read only mode for new Triage members is possible, Triage test will become productive next week

== Original Dispute, Discovery (Private Part) (optional) ==

 * Link to Arbitration case [[Arbitrations/priv/a20110228.1|a20110228.1 (Private Part)]]

<<Include(Arbitrations/priv/a20110228.1)>>  

==== EOT Private Part ====

== Intermediate Ruling ==
For intermediate action I follow on point 1. and point 2. the proposal of Support-Engineer:

 1. The users, if not already happened, should be notified by the Triage member (C) about the privacy breach
 2. The lists admins should take the necessary steps to remove all private data sent to the list concerning this case (eg. remove the mails from the public archives)

Regarding continueing the original Pwd-recovery request I order Support to use a variant to the A-Word with addtl. questions to the participiants. In the case this step fails, to use the last grade: the assurer sending in the A-Word was the only assurer involved, the user will have to meet him again to consent on a new A-word.

Frankfurt/Main, 2011-03-01


== Discovery ==
 * Triage member moved a ticket with privacy informations into the wrong workqueue within ticket system ORTS
 * Triage member perceived his mistake at the same moment the ticket was moved, filed the dispute
 * Potential Privacy breach could be documented.
 * Privacy informations disclosed
  * Assurers Full Name + Email
  * Assurees Full Name + Email
  * Meeting date
  * Meeting date and time before
  * A-Word for password recovery
 * Affected Policies:
  * [[https://svn.cacert.org/CAcert/Policies/SecurityPolicy.html|Security Policy]] SP 5. INCIDENT RESPONSE
 * Ticket case participiants: (AS1) Jose A, (M1) Antonio P
 * 2011-03-06 (Board): [[Brain/CAcertInc/Committee/MeetingAgendasAndMinutes/20110306|Committee Meeting 2011-03-06]] topic 2.7
  {{{
2.7 Incident Report following SP 5.6 under a20110228.1

Ulrich: "starting this week (Monday?) Triage moved a ticket into a wrong queue, so that PII was posted public for about 12 hours ... Triage member filed a dispute, so that the actions could be taken as fast as possible ... currently running under a20110228.1. post was removed, participiants in this case was contacted, case documented. Final ruling on this case is outstanding right now"

Was a FYI. No action from board required.
}}}

 * 2011-03-16 (Support): [[Support/Team/Meetings/2011-03-16|Support Team Meeting 2011-03-16]] proposal for CATS alike Test for Triage members
  * Topic: Triage Test
  * Marcus: Online-test for TRIAGE members. The test will be implemented on the same system that CATS is on. It is based on real life cases that have been sanitized 

 * 2011-03-23 (A): phone interview (Support t/l) regarding OTRS read only modes, Triage test to production
  * OTRS read only mode for new Triage members is possible
  * Triage test will become productive next week

== Ruling ==
 * A Privacy breach has occured at the moment a ticket has been moved into a wrong queue.
 * The ticket has been distributed to the mailing list subscribers (between 600 and 700 subscribers)
 * With (C)'s fast and correct reaction - to file a dispute against himself - a further spread has been stopped. Especialy the post in the archive has been removed by the lists admins ASAP
 * (C)'s apologies to the affected members (AS1) and (M1) has been accepted.
 * (M1)'s question regarding measures to be adopted by CAcert to minimize human errors has been started within (Support) with a CATS alike test for Triage members, with sanitized training material. So here CAcert follows the [[http://svn.cacert.org/CAcert/principles.html|Principles of the Community]] x.  Training.
 * The last report seen was dated [[http://blog.cacert.org/2009/12/450.html|December 11th, 2009]] and talks about an error rate of 5%, to be decreased to about 1-2%. Assuming around 10 tickets a day, we're talking about 4200 tickets since Dec 11th, 2009. So 1 error per 4200 tickets comes to an error rate of max 0.020 - 0.025%
 * Despite the fact, the value is low, this issue from effected users view is inacceptable either way.
 * (C) is still continue working as Triage member, and now since 1 month no more problems occured. So this can be read as: lesson learned.
 * So I order to (Support t/l), to pass in new Triage team members only with passed Triage test, or if the Triage test is not still running, to pass new Triage members only after appropriate training under supervision, eg. set new Triage member to read only mode, train them with a supervising experienced Triage member or a SE
 * Further I rule to (C) a 2 months period on probation starting from the issue date (2011-02-28), otherwise to undergo a test again.
 * Apologies to the effected Assurer and Member.

Frankfurt/Main, 2011-03-23

== Execution ==
 * 2011-03-23 (A): sending ruling to (C), (Support t/l), (AS1), (M1). Case closed.

== Similiar Cases ==
|| [[Arbitrations/a20100313.1|a20100313.1]] || [[Arbitrations/a20100313.1|Coordinated privacy breach]] ||
|| [[Arbitrations/a20100304.1|a20100304.1]] || [[Arbitrations/a20100304.1|dispute for privacy purposes]] ||

----
 . CategoryArbitration
 . CategoryArbCaseSystemTasks