Culture of expediency also to blame in Ga. data breach


The Georgia Secretary of State’s office, which acknowledged last month it inadvertently released personal information on every registered voter in the state, has blamed a single employee for the breach.

But records show the problem was deeper than the Secretary of State’s office has acknowledged, revealing a business culture that ignored written policies for the sake of expediency, according to a review by The Atlanta Journal-Constitution.

Secretary of State Brian Kemp, who declined to answer the AJC’s questions, blamed the release of Social Security numbers, birth dates and drivers’ license numbers on Gary Cooley, a low-level computer programmer. Kemp quickly fired Cooley, saying he failed to follow data-handling procedures and covered up his mistake for weeks.

Yet employee statements, emails, policies and other documents — hundreds of pages included as exhibits to the report — present a more nuanced picture of an office that paid little attention to the policies put in place to safeguard data until it was too late.

The day after the breach was discovered, the chief information officer for Kemp’s office, Merritt Beaver, acknowledged the lackadaisical approach to policies in an email sent to IT staff. Any changes to the office software had to adhere to policy “starting immediately,” he wrote.

“This has been the policy on most of our systems but there has (sic) been too many exceptions or workaround (sic) to get around the release management process,” he said.

Earlier this month, Kemp issued an 18-page investigative report on the breach, which impacted 6.2 million registered voters, that placed the blame on Cooley, a veteran computer programmer.

Kemp’s office refused to respond to a list of follow up questions from the AJC, including questions as basic as when certain employees were hired and requests to clarify certain statements made about the release of the data.

“All of this is included in the reports and exhibits,” said David Dove, Kemp’s lawyer and new chief of staff.

When pressed to point out the answers to The AJC’s questions in the mounds of documents, Dove did not reply.

Kemp’s office faces intense scrutiny following the admission last month that the personal information of every registered voter in the state was improperly included in files sent out to a dozen political and media organizations, including both the state Republican and Democratic parties, and the AJC. The organizations are entitled to voter registration information, which is considered a public record under the law, and routinely request the most recent data from the Secretary of State.

While the breach occurred Oct. 13, the Secretary of State’s Office didn’t find out about it until Nov. 13. It also didn’t publicly disclose it until Nov. 18, after The AJC wrote about a class-action lawsuit alleging a massive breach within the office.

Kemp has said all 12 data discs have either been recovered or destroyed. U.S. Rep. Hank Johnson, D-Lithonia, has asked for a federal investigation into the breach.

Genesis of a failure

The problem’s genesis began with a request in August by the state Revenue Department for the statewide voter database, including the sensitive data not released to the general public.

Documents released by Kemp’s office detail a series of emails between lawyers, IT and information security officials and other staffers negotiating the release of the information. There is little explanation why Revenue needed the information except that it wanted to “match” the data with information in its own databases and it wanted an updated file every Oct. 1.

Rather than detail the exchange in a memorandum of understanding (MOU)between the two offices, staffers in Kemp’s office instead agreed to hand over voter data in exchange for a promise that private information would not be made public.

“If y’all can can confirm that social security numbers would be redacted in the event this information was disclosed outside of your agency, then I think we can move forward without an MOU,” Ryan Germany, Kemp’s general counsel wrote.

Kemp’s office policy on data distribution indicates that “non-standard” data requests — like the one from Revenue — are to be determined by the chief information officer “in conjunction with the other division heads” and developed into a written agreement which is submitted to the CIO for pre-approval. It is not clear from the records examined by the AJC that this happened.

Once the agreement was reached, Cooley was tasked with getting the information to Revenue. By October, Revenue staffers were asking Cooley when the data would be ready. In his written statement to investigators, Beaver, Kemp’s chief information officer, said Revenue “asked for a (sic) the file on an accelerated timeline.”

Cooley contacted PCC Technology Group, the vendor Kemp’s office uses to manage voter information, to get the transfer set up. In an Oct. 5 email, Cooley, following up on a telephone conversation with a PCC employee, asked for the additional data to be added to the statewide file.

“We would like this file to be create (sic) as soon as possible,” he wrote. “We can discuss the full automation from the application later.”

Eight days later, Cooley followed up, asking the PCC employee “did you forget about me?” In a reply just a few minutes later, the PCC employee told Cooley the request was done “the same day.”

That email is the smoking gun for Kemp’s internal investigation.

“The report is clear,” Dove said. “Gary bypassed policies when he ordered the report and then covered up his mistake. It’s also clear in his email from Oct. 5 that he directed the vendor to add three fields to the statewide file.”

But if Cooley was blatantly violating policy to fill the Department of Revenue’s request, he was doing so with the advance knowledge of his superiors, including Beaver, who along with project manager Farah Allen were both copied on Cooley’s Oct. 5 email at the request of the vendor. In his statement to internal investigators, Beaver called Cooley’s Oct. 5 email “cryptic” but he and Allen said nothing about it at the time.

Files weren’t checked

It is not the only example of an embarrassing policy slip in Kemp’s office. In April, Kemp’s elections director resigned after almost 8,000 voters were moved from inactive to “canceled” prior to this spring’s primaries and six days after a federal deadline for making such a change.

“One is one too many,” Kemp said of the error. “It was an honest mistake by a hard-working person and, unfortunately, she has to pay the price.”

One of the problems leading to the October release of voters’ private information was that no one looked at it before discs with the information were mailed out. Kemp’s official investigation blamed this on Cooley for not providing a way for the election worker, an elections systems support specialist named Kevin Reaves, to open the very large file on his computer.

“Although the Elections Systems Manager made a request to Mr. Cooley to provide at least the means of read only access to these large files …, Mr. Cooley did not provide assistance to comply with this request,” the investigators found.

Apparently, investigators based this conclusion on a statement from Election Systems Manager Erica Hamilton that Cooley “was aware of the inability for Elections to review a statewide file.”

However, it does not appear that Cooley, a software programmer, had the responsibilities to upgrade office computers. In an interview with The AJC earlier this month, Cooley said he was aware elections workers could not open the entire file, but he knew they could view a limited amount of the data — about 1,000 rows — in Microsoft’s spreadsheet program, Excel.

Using that method, Reaves could have reviewed the file for unauthorized data before sending it out. In fact, Reaves was trained to do so, according to the person who trained him.

Mike Myers, another elections worker whose job previously had been to mail out the voter information disks, told investigators that he trained his replacement, Reaves, on the steps he needed to take when sending out voter information.

“I told him … the statewide voter file was too big to check before sending,” Myers told investigators. “I told him about checking the Excel voter files.”

Reaves said he couldn’t open the file “and no one told me otherwise.”

None of this confusion is reflected in the investigators’ report, only that Cooley alone was ultimately to blame.

Employee blamed for cover-up

While interview notes suggest blame for the release is shared by several in Kemp’s organization, special ire is aimed at Cooley for supposedly covering up the breach for weeks.

Cooley’s defense is that when he learned on Oct. 13 that the public voter data file had been altered, he checked the file and determined — wrongly — that it had not been accessed.

Emails show Cooley alerted PCC to the problem and asked the public file be returned to its normal state. He then notified the Department of Revenue that their data was ready.

Cooley told The AJC he thought he had dealt with the problem and was not trying to avoid blame. Investigators saw things differently and attributed Cooley’s decision as an attempt to “cover up his mistake.”

Cooley may not be helped by the fact that he is apparently considered aloof and difficult to supervise. A 20-year veteran of state government, Cooley was considered an expert in the Secretary of State’s “legacy” systems — older software used in prior administrations. His job description requires him to work “with limited supervision” but in his statement to investigators Beaver called Cooley “strong headed.”

“I had numerous conversations about him reducing and eliminating the amount of manual processes he would inject in IT system processes,” he wrote. “Even on this project, I had previously reminded Gary about the need to follow the process and not cut corners.”

While his supervisors were hired during Kemp’s administration, Dove said Cooley had been kept on “despite his record because he was the only employee with specialized knowledge of the mainframe system.”

The record Dove referred to appears to be a two-day suspension in August 2009, prior to Kemp’s election. Cooley’s personnel file does not indicate exactly why he was suspended, but a performance improvement plan developed for him required that “any external release of numbers must have the highest standard of review and accuracy through mandatory development procedures developed by Gary.”

Cooley’s file indicates he completed the improvement plan. A follow-up review in June 2010 gave Cooley high marks in every category, and there is no record of further discipline.



Reader Comments ...


Next Up in Local

BREAKING: 2 found dead in Gwinnett
BREAKING: 2 found dead in Gwinnett

Two people have been found dead, Gwinnett County police said Saturday. Officers found a man and a woman with gunshot wounds in the 1200 block of Bishops Lane in Lawrenceville, spokesman David Smith said. No other details were released. — Please return to AJC.com for updates.
Repair work continues on key Paulding highway
Repair work continues on key Paulding highway

Water is flowing again along U.S. 278 in Paulding County, but it could be midday Saturday or later before all traffic lanes reopen. Flooding from a water main break Friday reduced eastbound traffic to one lane on a stretch of the highway in Hiram, officials said. Also, water service was off for awhile to businesses in the area. Crews worked overnight...
Warm will be the norm again Saturday
Warm will be the norm again Saturday

Today: Sunshine, afternoon clouds. High: 88 Tonight: Mainly clear skies. Low: 66 Tomorrow: Sunny, afternoon clouds. High: 86 College football will resume with big games in Atlanta and Athens on Saturday. Must be fall, right? Well, for the second straight day, the temperature will feel more like summer, even though fall officially arrived...
Why a MARTA move into Cobb County wouldn’t have to be all or nothing
Why a MARTA move into Cobb County wouldn’t have to be all or nothing

A view of the Cumberland Community Improvement District looking northward from the Cobb Energy Centre. BOB ANDRES / BANDRES@AJC.COM Local communities are largely the product of two constituencies. One is business-based. The other is voter-based. Political, in other words. The two don’t always approach change at the same speed. An unusual and...
Trump: McCain ‘never had any intention’ of backing latest health care bill
Trump: McCain ‘never had any intention’ of backing latest health care bill

President Donald Trump took a shot at U.S. Sen. John McCain early Saturday in a series of tweets, saying the Arizona Republican “never had any intention” of voting for the latest GOP health care bill. McCain’s rejection of the Graham-Cassidy proposal effectively ends the party's chances at repealing Obamacare -- for now. >>...
More Stories