A long-awaited state report detailing how Georgia gave out more than 6 million voters’ Social Security numbers and other private data put the blame squarely on a employee fired for the breach last month.
That employee, longtime state programmer Gary Cooley, flouted office protocol and policy within Georgia Secretary of State Brian Kemp’s office, according to the internal report about the data breach released Monday by the office and the state Department of Human Resources.
The breach, it said, “was due to Mr. Cooley working outside of and circumventing established policies and procedures,” the report concluded. It called for more training, clearer policies and more active management of sensitive data.
After the report’s late afternoon release, Cooley — who until last month had worked either as a contractor or full-time employee for the state since 1995 — said he wanted more time to go through it and planned to issue a response Tuesday.
The report’s public release was the first full accounting by Kemp’s office of the gaffe. It provided more details about what happened, although it also confirmed much of a narrative provided by Cooley two weeks ago to The Atlanta Journal-Constitution.
It came as Gov. Nathan Deal approved Kemp’s hiring of outside attorneys to help him deal with a lawsuit related to the breach. It also came as a member of Georgia’s congressional delegation called for a federal investigation.
In a statement, Kemp downplayed that call, saying his office “has maintained constant communication with elected officials.”
“The vast majority of legislators approve of the steps we’ve taken to fix the issue,” Kemp said. “We have received particularly good response to (offering to provide) free credit monitoring to anyone who asks for it. Gov. Deal said he felt like my office had taken every step I could, and I appreciate that.”
The report said that in August, the Georgia Department of Revenue requested sensitive data including voters’ Social Security numbers, birth dates and driver’s license numbers in order to “match” entries it had in its database. The report does not say why the Revenue Department wanted to match the numbers, but the request started a chain reaction that led to the breach.
Once the office’s lawyers OK’d the request, Cooley in October contacted PCC Technology Group, an outside vendor tasked with managing voter data for the state, to fulfill the request.
While the agencies had wanted the sensitive information put into a new, secure file created specifically for that purpose, PCC misunderstood the request. Instead, it uploaded the data to an existing statewide voter file that should not have had the information. The report said only Cooley was supposed to have access to the statewide voter file but had shared his user ID with another employee.
That employee was not named in the report.
Days after the upload, the other employee accessed the file and burned it onto compact discs. It is a routine action, since the discs are emailed monthly to groups including the AJC that regularly subscribe to “voter lists” maintained by the state. In all, 12 organizations received those discs, including state political parties, news media organizations and Georgia GunOwner Magazine.
Kemp has said all 12 data discs have either been recovered or destroyed.
Cooley discovered the mix-up Oct. 13. He asked PCC to delete the sensitive data from the voter file, since it wasn’t supposed to go there. Cooley told the AJC he ran a test to confirm it had been deleted. Cooley said he also checked the office’s network to see whether anyone had pulled the file. He said he found no obvious signs it had. He said he did not know another employee had already accessed the file.
According to the report, if Cooley had “chosen to mention the data issue to his supervisor” or others in the office, “the discs likely could have been recovered before they were even mailed,” the report said. “Instead, Mr. Cooley chose to cover up his mistake and remain quiet.”
The other employee, Cooley said, appeared to have put the file directly onto his computer hard drive instead of onto the office’s network, which Cooley said would explain why there was no electronic trace when he looked for it Oct. 13. Cooley also said the employee who mailed the discs was supposed to eyeball the data to confirm it looked right.
The report acknowledged that he didn’t, although blamed Cooley for not providing the office a way to read big data files, including the voter file.
Kemp had already singled Cooley out for what the Secretary of State initially called a “clerical error.” Although the office had previously refused to release Cooley’s personnel record, the report said he had previously been reprimanded for a “tendency to act independently” that included “procedural issues” involving how he handled data.
Yet, the report also noted that the office singled Cooley out in a positive way, giving him special data access “because of his singular and unique institutional knowledge” of the office’s computer system.
While the breach occurred Oct. 13, the office didn’t find out about it until Nov. 13. It also didn’t publicly disclose it until Nov. 18, after the AJC wrote about a class-action lawsuit alleging a massive breach within the office.
Deal on Monday issued an executive order appointing the Troutman Sanders law firm to represent Kemp’s office in the lawsuit. Georgia Attorney General Sam Olens through a spokesman said his office had a conflict with the case, since it also oversees the state’s consumer protection efforts. Olens and Kemp, however, are also considered potential political rivals in the 2018 governor’s race.
U.S. Rep. Hank Johnson, D-Lithonia, on Monday requested that Federal Trade Commission chairwoman Edith Ramirez open an investigation into the breach.
Federal law, Johnson said, regulates how government should handle individual privacy rights in dealing with computerized databases, including the Privacy Act of 1964, the Social Security Act and the Driver’s Privacy Protection Act.
“All three statutes provide for criminal and civil penalties when violated, and there is strong evidence to suggest that these federal statutes were violated in the wake of this massive data breach,” Johnson said in the letter. “It is within the FTC’s authority to take action against entities that fail to protect citizens’ private data.”