Culture of expediency also to blame in Ga. data breach

The Georgia Secretary of State’s office, which acknowledged last month it inadvertently released personal information on every registered voter in the state, has blamed a single employee for the breach.

But records show the problem was deeper than the Secretary of State’s office has acknowledged, revealing a business culture that ignored written policies for the sake of expediency, according to a review by The Atlanta Journal-Constitution.

Secretary of State Brian Kemp, who declined to answer the AJC’s questions, blamed the release of Social Security numbers, birth dates and drivers’ license numbers on Gary Cooley, a low-level computer programmer. Kemp quickly fired Cooley, saying he failed to follow data-handling procedures and covered up his mistake for weeks.

Yet employee statements, emails, policies and other documents — hundreds of pages included as exhibits to the report — present a more nuanced picture of an office that paid little attention to the policies put in place to safeguard data until it was too late.

The day after the breach was discovered, the chief information officer for Kemp’s office, Merritt Beaver, acknowledged the lackadaisical approach to policies in an email sent to IT staff. Any changes to the office software had to adhere to policy “starting immediately,” he wrote.

“This has been the policy on most of our systems but there has (sic) been too many exceptions or workaround (sic) to get around the release management process,” he said.

Earlier this month, Kemp issued an 18-page investigative report on the breach, which impacted 6.2 million registered voters, that placed the blame on Cooley, a veteran computer programmer.

Kemp’s office refused to respond to a list of follow up questions from the AJC, including questions as basic as when certain employees were hired and requests to clarify certain statements made about the release of the data.

“All of this is included in the reports and exhibits,” said David Dove, Kemp’s lawyer and new chief of staff.

When pressed to point out the answers to The AJC’s questions in the mounds of documents, Dove did not reply.

Kemp’s office faces intense scrutiny following the admission last month that the personal information of every registered voter in the state was improperly included in files sent out to a dozen political and media organizations, including both the state Republican and Democratic parties, and the AJC. The organizations are entitled to voter registration information, which is considered a public record under the law, and routinely request the most recent data from the Secretary of State.

While the breach occurred Oct. 13, the Secretary of State’s Office didn’t find out about it until Nov. 13. It also didn’t publicly disclose it until Nov. 18, after The AJC wrote about a class-action lawsuit alleging a massive breach within the office.

Kemp has said all 12 data discs have either been recovered or destroyed. U.S. Rep. Hank Johnson, D-Lithonia, has asked for a federal investigation into the breach.

Genesis of a failure

The problem’s genesis began with a request in August by the state Revenue Department for the statewide voter database, including the sensitive data not released to the general public.

Documents released by Kemp’s office detail a series of emails between lawyers, IT and information security officials and other staffers negotiating the release of the information. There is little explanation why Revenue needed the information except that it wanted to “match” the data with information in its own databases and it wanted an updated file every Oct. 1.

Rather than detail the exchange in a memorandum of understanding (MOU)between the two offices, staffers in Kemp’s office instead agreed to hand over voter data in exchange for a promise that private information would not be made public.

“If y’all can can confirm that social security numbers would be redacted in the event this information was disclosed outside of your agency, then I think we can move forward without an MOU,” Ryan Germany, Kemp’s general counsel wrote.

Kemp’s office policy on data distribution indicates that “non-standard” data requests — like the one from Revenue — are to be determined by the chief information officer “in conjunction with the other division heads” and developed into a written agreement which is submitted to the CIO for pre-approval. It is not clear from the records examined by the AJC that this happened.

Once the agreement was reached, Cooley was tasked with getting the information to Revenue. By October, Revenue staffers were asking Cooley when the data would be ready. In his written statement to investigators, Beaver, Kemp’s chief information officer, said Revenue “asked for a (sic) the file on an accelerated timeline.”

Cooley contacted PCC Technology Group, the vendor Kemp’s office uses to manage voter information, to get the transfer set up. In an Oct. 5 email, Cooley, following up on a telephone conversation with a PCC employee, asked for the additional data to be added to the statewide file.

“We would like this file to be create (sic) as soon as possible,” he wrote. “We can discuss the full automation from the application later.”

Eight days later, Cooley followed up, asking the PCC employee “did you forget about me?” In a reply just a few minutes later, the PCC employee told Cooley the request was done “the same day.”

That email is the smoking gun for Kemp’s internal investigation.

“The report is clear,” Dove said. “Gary bypassed policies when he ordered the report and then covered up his mistake. It’s also clear in his email from Oct. 5 that he directed the vendor to add three fields to the statewide file.”

But if Cooley was blatantly violating policy to fill the Department of Revenue’s request, he was doing so with the advance knowledge of his superiors, including Beaver, who along with project manager Farah Allen were both copied on Cooley’s Oct. 5 email at the request of the vendor. In his statement to internal investigators, Beaver called Cooley’s Oct. 5 email “cryptic” but he and Allen said nothing about it at the time.

Files weren’t checked

It is not the only example of an embarrassing policy slip in Kemp’s office. In April, Kemp’s elections director resigned after almost 8,000 voters were moved from inactive to “canceled” prior to this spring’s primaries and six days after a federal deadline for making such a change.

“One is one too many,” Kemp said of the error. “It was an honest mistake by a hard-working person and, unfortunately, she has to pay the price.”

One of the problems leading to the October release of voters’ private information was that no one looked at it before discs with the information were mailed out. Kemp’s official investigation blamed this on Cooley for not providing a way for the election worker, an elections systems support specialist named Kevin Reaves, to open the very large file on his computer.

“Although the Elections Systems Manager made a request to Mr. Cooley to provide at least the means of read only access to these large files …, Mr. Cooley did not provide assistance to comply with this request,” the investigators found.

Apparently, investigators based this conclusion on a statement from Election Systems Manager Erica Hamilton that Cooley “was aware of the inability for Elections to review a statewide file.”

However, it does not appear that Cooley, a software programmer, had the responsibilities to upgrade office computers. In an interview with The AJC earlier this month, Cooley said he was aware elections workers could not open the entire file, but he knew they could view a limited amount of the data — about 1,000 rows — in Microsoft’s spreadsheet program, Excel.

Using that method, Reaves could have reviewed the file for unauthorized data before sending it out. In fact, Reaves was trained to do so, according to the person who trained him.

Mike Myers, another elections worker whose job previously had been to mail out the voter information disks, told investigators that he trained his replacement, Reaves, on the steps he needed to take when sending out voter information.

“I told him … the statewide voter file was too big to check before sending,” Myers told investigators. “I told him about checking the Excel voter files.”

Reaves said he couldn’t open the file “and no one told me otherwise.”

None of this confusion is reflected in the investigators’ report, only that Cooley alone was ultimately to blame.

Employee blamed for cover-up

While interview notes suggest blame for the release is shared by several in Kemp’s organization, special ire is aimed at Cooley for supposedly covering up the breach for weeks.

Cooley’s defense is that when he learned on Oct. 13 that the public voter data file had been altered, he checked the file and determined — wrongly — that it had not been accessed.

Emails show Cooley alerted PCC to the problem and asked the public file be returned to its normal state. He then notified the Department of Revenue that their data was ready.

Cooley told The AJC he thought he had dealt with the problem and was not trying to avoid blame. Investigators saw things differently and attributed Cooley’s decision as an attempt to “cover up his mistake.”

Cooley may not be helped by the fact that he is apparently considered aloof and difficult to supervise. A 20-year veteran of state government, Cooley was considered an expert in the Secretary of State’s “legacy” systems — older software used in prior administrations. His job description requires him to work “with limited supervision” but in his statement to investigators Beaver called Cooley “strong headed.”

“I had numerous conversations about him reducing and eliminating the amount of manual processes he would inject in IT system processes,” he wrote. “Even on this project, I had previously reminded Gary about the need to follow the process and not cut corners.”

While his supervisors were hired during Kemp’s administration, Dove said Cooley had been kept on “despite his record because he was the only employee with specialized knowledge of the mainframe system.”

The record Dove referred to appears to be a two-day suspension in August 2009, prior to Kemp’s election. Cooley’s personnel file does not indicate exactly why he was suspended, but a performance improvement plan developed for him required that “any external release of numbers must have the highest standard of review and accuracy through mandatory development procedures developed by Gary.”

Cooley’s file indicates he completed the improvement plan. A follow-up review in June 2010 gave Cooley high marks in every category, and there is no record of further discipline.

X