ATLANTA -- The blame for a leak of personal voter information lies squarely with a fired employee of the Secretary of State's office, according to an internal report released today by Secretary of State Brian Kemp. The report says the employee had been suspended previously for sloppy work.
The report says IT worker Gary Cooley had been suspended in August 2009 for "failure to achieve accuracy in his work, failing to document audit processes, and failing to accurately and timely communicate his work flow to his supervisor."
In October, 2015, the Secretary of State's office inadvertently released personal voter information to a dozen organizations, including state political parties and news organizations. The Secretary of State releases data to such organizations routinely; however, this was the first time a statewide voter list release included social security and driver's license numbers.
Secretary of State Brian Kemp took responsibility for the release. However, the report released Monday puts the blame on Cooley, who was tasked to manage the transfer of the sensitive info to the state Department of Revenue.
Although he had been part of state government since 1995, the report describes Cooley as a worker who had trouble accepting office procedures – "independently minded in his work processes," the report says. He'd had no other disciplinary issues, however.
The data leak started with an August 2015 request from the state department of Revenue – which wanted to match its files with the secure data collected by the Secretary of State. "The specific information the Department requested was full date of birth, driver's license numbers, and full nine-digit social security numbers," the report said. It's not clear why the Revenue department needed the personal information for more than six million Georgia voters.
The report also says state officials discussed the need to "inquire as to the legality of sharing the information in the request before moving forward."
The report says state officials considered, then declined, to create a formal process that would have clarified how and why the personal information database was created for the Georgia Department of Revenue. Government attorneys decided that the formal process—creation of a Memorandum of Understanding – wasn't required by state law.
Kemp said Monday afternoon that the data breach happened despite policies and procedures meant to protect the information from public disclosure.
"Unfortunately, Mr. Cooley decided not to follow those policies and procedures when this incident occured." The report of the internal investigation, Kemp said, focuses on "what broke down there, why it didn't stop this information from being sent out, and we'll learn from that and make sure that it never happens in the future."
Jennifer Auer Jordan, the Atlanta attorney suing Kemp over the security breach on behalf of two Georgia voters, has more questions about the responsibilities entrusted to Cooley, given his work record.
"It's interesting, because if, in fact, Mr. Cooley did have as many issues as they now say he had," Jordan said Monday, "why in the world, in 2015, six years later, did they have him be the guy who really does have access to all this information?"
"Well that employee has been with this agency for twenty years," Kemp said, "and has institutional knowledge with our mainframe system that really no one else in the agency did. And I think, looking back, I probably would have done something different.... We had a kind of team working on this. And, unfortunately, human error intervened and he acted outside the scope of what he should have done. And that was human error. But, look, that's my responsibility to take ownership of this, it should not have happened, it would not have happened if it had gone through the proper procedures."
And, Kemp emphasized again, all the data was retrieved before any identity thieves obtained it.
"And people's personal information is safe. But it is disturbing.... We're gonna make sure this never happens again, and we're gonna make this agency stronger in the future because of it."
Gary Cooley told 11Alive news on Dec. 3 that he is, unjustly, the scapegoat in all of this.
On Monday he did not return messages for comment about the report and what it says about him.
By the end of the week, Georgians will be able to go to the Secretary of State's website to sign up with a credit monitoring company, at state expense, to make sure their data did not get into the wrong hands.