A journalism group called on Georgia Secretary of State Brian Kemp on Friday to release public records detailing how a massive data breach in the office happened and exactly how outside groups handled more than 6 million voters' personal information.
The Georgia chapter of the Society of Professional Journalists said the agency wrongly cited state law about open records in Georgia. The law allows agencies to exempt public documents from disclosure if they relate to an open internal investigation, although it is not mandatory in most cases.
“The open investigation exemption of the Open Records Act only applies to law enforcement, prosecution or regulatory agencies,” said Kennesaw State University journalism professor Carolyn Carlson, a former SPJ national president and Freedom of Information Committee member. “It specifically does not apply to records kept by the agency that is the subject of an investigation.”
Agency officials on Friday stood by their action, citing a different section of the law that allows them to shield records related to the suspension, firing or investigation of complaints against public officers or employees. They also repeated plans to release documents after the agency completes its investigation.
Among the documents the office will not release are the field notes from investigators describing how 12 organizations handled compact discs containing sensitive data that were accidentally given to them in October. Officials discovered the breach of information, including voters' Social Security numbers and birth dates, a month later.
The agency also refused to release the personnel file of the information technology employee fired two weeks ago following what Kemp called a “clerical error.”
That worker, longtime state programmer Gary Cooley, has disputed Kemp’s version of events and this week told The Atlanta Journal-Constitution that he did not have the security access to add millions of Social Security numbers and birth dates to a public data file.
Cooley instead outlined a more complicated series of missteps and miscommunication, both within the office and with PCC Technology Group, an outside vendor tasked with managing voter data for the state.
Kemp, who says he became aware of the breach Nov. 13, has said all 12 data discs illegally disclosing the private information have either been recovered or destroyed, and that the data were not disseminated. He also denied the disclosure was a breach of the state’s voter registration system, saying the system itself was not hacked.
On Thursday, Kemp announced plans to offer voters a year of free credit and identity theft monitoring services.
About the Author
